Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91493-7 References:
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 2022-12-05 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 61 groups and 177 rules | Group
@@ -122,7 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -422,7 +422,33 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-83048-9 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r603262_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 57 groups and 153 rules | Group
@@ -122,7 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -398,7 +398,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -441,7 +441,27 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-91492-9 References:
- BP28(R58) | | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91493-7 References:
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 2022-12-05 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 27 groups and 37 rules | | Group
@@ -109,7 +109,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-83013-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -173,7 +173,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-83012-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -244,7 +244,20 @@
$ sudo zypper install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-91476-2 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-91474-7 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
- CCE-91478-8 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 100 groups and 255 rules | Group
@@ -115,7 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -406,7 +406,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-92211-2 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.6.4 | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -565,7 +565,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 89 groups and 193 rules | Group
@@ -115,7 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -406,7 +406,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-92211-2 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.6.4 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -515,7 +515,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 83 groups and 190 rules | Group
@@ -115,7 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -406,7 +406,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-92211-2 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.6.4 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -515,7 +515,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 98 groups and 254 rules | Group
@@ -115,7 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -406,7 +406,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-92211-2 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.6.4 | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -565,7 +565,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- Web Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 90 groups and 211 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-91632-0 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -340,7 +340,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-91634-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -458,7 +458,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -516,7 +516,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 63 groups and 152 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-91632-0 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -340,7 +340,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-91634-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -458,7 +458,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -516,7 +516,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- File Permissions and Masks
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 4 groups and 3 rules | | Group
@@ -114,7 +114,11 @@
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | Identifiers:
CCE-91627-0 References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
| Rule
Verify User Who Owns passwd File
[ref] | To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | | Identifiers and References | Identifiers:
CCE-91666-8 References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
| Rule
Verify Permissions on passwd File
[ref] |
@@ -204,7 +204,12 @@
accounts on the system and associated information, and protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd | | Identifiers and References | Identifiers:
CCE-91452-3 References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
|
Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-12-05 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:12
- cpe:/o:suse:linux_enterprise_server:12
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 83 groups and 238 rules | Group
@@ -111,7 +111,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.4.1, SV-217148r603262_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -169,7 +169,66 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-83204-8 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r603262_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -325,7 +325,33 @@
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html 2022-12-05 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 61 groups and 171 rules | Group
@@ -122,7 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -398,7 +398,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -441,7 +441,27 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-91184-2 References:
- BP28(R58) | | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91185-9 References:
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html 2022-12-05 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 61 groups and 184 rules | Group
@@ -122,7 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -417,7 +417,33 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-91214-7 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 57 groups and 160 rules | Group
@@ -122,7 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -398,7 +398,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -441,7 +441,27 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-91184-2 References:
- BP28(R58) | | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91185-9 References:
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html 2022-12-05 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 27 groups and 44 rules | | Group
@@ -109,7 +109,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-83291-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -173,7 +173,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-85663-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -244,7 +244,20 @@
$ sudo zypper install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-91163-6 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-91165-1 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
- CCE-91166-9 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 109 groups and 284 rules | Group
@@ -115,7 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -401,7 +401,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-91341-8 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.6.4 | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -560,7 +560,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 97 groups and 221 rules | Group
@@ -115,7 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -401,7 +401,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-91341-8 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.6.4 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -510,7 +510,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 91 groups and 218 rules | Group
@@ -115,7 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -401,7 +401,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-91341-8 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.6.4 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -510,7 +510,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 107 groups and 283 rules | Group
@@ -115,7 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -401,7 +401,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-91341-8 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.6.4 | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -560,7 +560,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), Req-6.2, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 54 groups and 137 rules | | Group
@@ -141,7 +141,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-85788-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -328,7 +328,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-85782-1 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -475,7 +475,25 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-85776-3 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -548,7 +548,11 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-85795-3 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -649,7 +649,69 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-85777-1 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 100 groups and 256 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-85788-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -340,7 +340,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-85782-1 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -458,7 +458,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -516,7 +516,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 63 groups and 160 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-85788-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -340,7 +340,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-85782-1 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -458,7 +458,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -516,7 +516,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 52 groups and 167 rules | Group
@@ -113,7 +113,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -171,7 +171,66 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -331,7 +331,22 @@
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html 2022-12-05 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 54 groups and 165 rules | | Group
@@ -127,7 +127,66 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -287,7 +287,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Configure AIDE to Verify Access Control Lists (ACLs)
[ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
@@ -413,7 +413,35 @@
/etc/aide.conf | | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | | Identifiers and References | Identifiers:
CCE-85623-7 References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-15-040040, SV-234986r622137_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Web Server
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 45 groups and 119 rules | | Group
@@ -209,7 +209,10 @@
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | | Identifiers and References | Identifiers:
CCE-83261-8 References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, SLES-15-010010, SV-234802r622137_rule | | |
| | Group
Account and Access Control
Group contains 7 groups and 16 rules | [ref]
@@ -313,7 +313,108 @@
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny | | Identifiers and References | Identifiers:
CCE-85842-3 References:
- BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050 | | |
| Rule
+ Configure the root Account for Failed Password Attempts
+ [ref] | This rule configures the system to lock out the root account after a number of
+incorrect login attempts using pam_faillock.so.
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version. Warning:
+ If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file. | | Rationale: | By limiting the number of failed logon attempts, the risk of unauthorized system access via
+user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
+the account. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root | | Identifiers and References | Identifiers:
+ CCE-91171-9 References:
+ BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_desktop:15
- cpe:/o:suse:linux_enterprise_server:15
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 83 groups and 238 rules | Group
@@ -111,7 +111,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -169,7 +169,66 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -329,7 +329,22 @@
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -108,7 +108,7 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -151,19 +151,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -176,24 +186,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -201,9 +216,9 @@
-
+
-
+
@@ -216,21 +231,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -1688,20 +1688,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1723,6 +1709,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -1740,20 +1740,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1775,6 +1761,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -108,7 +108,7 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -151,19 +151,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -176,24 +186,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -201,9 +216,9 @@
-
+
-
+
@@ -216,21 +231,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -1688,20 +1688,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1723,6 +1709,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -1740,20 +1740,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1775,6 +1761,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,34 +7,34 @@
2022-12-05T00:00:00
-
- Verify Permissions on shadow File
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Configure low address space to protect from user allocation
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Enable cron Service
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Verify No netrc Files Exist
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Disable kexec system call
+
+ Disable the uvcvideo module
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
@@ -43,838 +43,838 @@
ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Use Centralized and Automated Authentication
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Disable x86 vsyscall emulation
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Enable SSH Warning Banner
- ocil:ssg-sudo_custom_logfile_action:testaction:1
+ ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1
-
- Enable Kernel Parameter to Enforce DAC on Hardlinks
+
+ IOMMU configuration directive
- ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1
+ ocil:ssg-grub2_enable_iommu_force_action:testaction:1
-
- Enable poison without sanity check
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
-
- Verify Group Who Owns /var/log/syslog File
+
+ Allow Only SSH Protocol 2
- ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1
+ ocil:ssg-sshd_allow_only_protocol2_action:testaction:1
-
- Record Attempts to Alter Time Through clock_settime
+
+ Disable mutable hooks
- ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
+ ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Configure auditd mail_acct Action on Low Disk Space
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
-
- Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
+
+ Enable Use of Privilege Separation
- ocil:ssg-auditd_overflow_action_action:testaction:1
+ ocil:ssg-sshd_use_priv_separation_action:testaction:1
-
- Avoid speculative indirect branches in kernel
+
+ All GIDs referenced in /etc/passwd must be defined in /etc/group
- ocil:ssg-kernel_config_retpoline_action:testaction:1
+ ocil:ssg-gid_passwd_group_same_action:testaction:1
-
- Verify User Who Owns Backup passwd File
+
+ Enable auditd Service
- ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1
+ ocil:ssg-service_auditd_enabled_action:testaction:1
-
- Verify Permissions on SSH Server Private *_key Key Files
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-file_permissions_sshd_private_key_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+
+ Verify Permissions on /var/log Directory
- ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
+ ocil:ssg-file_permissions_var_log_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - unlink
+
+ Ensure /srv Located On Separate Partition
- ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
+ ocil:ssg-partition_for_srv_action:testaction:1
-
- Set SSH authentication attempt limit
+
+ Verify Only Root Has UID 0
- ocil:ssg-sshd_set_max_auth_tries_action:testaction:1
+ ocil:ssg-accounts_no_uid_except_zero_action:testaction:1
-
- Configure auditd admin_space_left Action on Low Disk Space
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - reboot
- ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1
+ ocil:ssg-audit_privileged_commands_reboot_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -43,19 +43,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -68,24 +78,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -93,9 +108,9 @@
-
+
-
+
@@ -108,21 +123,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -1580,20 +1580,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1615,6 +1601,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -1632,20 +1632,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1667,6 +1653,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -124,7 +124,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -167,15 +167,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
@@ -184,25 +188,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -215,74 +223,66 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -5290,6 +5290,22 @@
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
CCE-92211-2
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
+ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+ else
+ printf '\n' >> /etc/sysconfig/prelink
+ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+ fi
+
+ # Undo previous prelink changes to binaries if prelink is available.
+ if test -x /usr/sbin/prelink; then
+ /usr/sbin/prelink -ua
+ fi
+fi
+
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -126,7 +126,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -169,15 +169,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
@@ -186,25 +190,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -217,74 +225,66 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -5292,6 +5292,22 @@
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
CCE-92211-2
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
+ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+ else
+ printf '\n' >> /etc/sysconfig/prelink
+ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+ fi
+
+ # Undo previous prelink changes to binaries if prelink is available.
+ if test -x /usr/sbin/prelink; then
+ /usr/sbin/prelink -ua
+ fi
+fi
+
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,94 +7,118 @@
2022-12-05T00:00:00
-
- Configure the root Account for Failed Password Attempts
+
+ Ensure shadow group is empty
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-ensure_shadow_group_empty_action:testaction:1
-
- The operating system must restrict privilege elevation to authorized personnel
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Disable GDM Unattended or Automatic Login
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-gnome_gdm_disable_unattended_automatic_login_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Add nosuid Option to /tmp
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Disable SCTP Support
+
+ Configure low address space to protect from user allocation
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Verify Permissions on cron.daily
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_cron_daily_action:testaction:1
-
- Disable loading and unloading of kernel modules
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Enable cron Service
+
+ Verify No netrc Files Exist
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Set the GNOME3 Login Warning Banner Text
+
+ Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
- ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Record Any Attempts to Run chacl
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-audit_rules_execution_chacl_action:testaction:1
-
- Disable kexec system call
+
+ Disable Kernel Parameter for IPv6 Forwarding
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1
-
- Install iptables Package
+
+ Limit Password Reuse
- ocil:ssg-package_iptables_installed_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1
+
+
+
+ Disable the uvcvideo module
+
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
+
+
+
+ All Interactive User Home Directories Must Be Owned By The Primary User
+
+ ocil:ssg-file_ownership_home_directories_action:testaction:1
+
+
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
+
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
+
+
+
+ Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
@@ -103,292 +127,292 @@
ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Add nosuid Option to /boot
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-mount_option_boot_nosuid_action:testaction:1
-
- Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+ Ensure sudo umask is appropriate - sudo umask
- ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
+ ocil:ssg-sudo_add_umask_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Use Centralized and Automated Authentication
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Ensure All SGID Executables Are Authorized
+
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -43,15 +43,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
@@ -60,25 +64,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -91,74 +99,66 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -5166,6 +5166,22 @@
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
CCE-92211-2
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
+ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+ else
+ printf '\n' >> /etc/sysconfig/prelink
+ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+ fi
+
+ # Undo previous prelink changes to binaries if prelink is available.
+ if test -x /usr/sbin/prelink; then
+ /usr/sbin/prelink -ua
+ fi
+fi
+
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
@@ -5204,22 +5220,6 @@
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -171,15 +171,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
@@ -188,25 +192,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -224,74 +232,66 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -6672,6 +6672,22 @@
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
CCE-91341-8
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
+ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+ else
+ printf '\n' >> /etc/sysconfig/prelink
+ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+ fi
+
+ # Undo previous prelink changes to binaries if prelink is available.
+ if test -x /usr/sbin/prelink; then
+ /usr/sbin/prelink -ua
+ fi
+fi
+
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -130,7 +130,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -173,15 +173,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
@@ -190,25 +194,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -226,74 +234,66 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -6674,6 +6674,22 @@
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
CCE-91341-8
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
+ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+ else
+ printf '\n' >> /etc/sysconfig/prelink
+ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+ fi
+
+ # Undo previous prelink changes to binaries if prelink is available.
+ if test -x /usr/sbin/prelink; then
+ /usr/sbin/prelink -ua
+ fi
+fi
+
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,106 +7,148 @@
2022-12-05T00:00:00
-
- User Initialization Files Must Be Group-Owned By The Primary User
+
+ Ensure shadow group is empty
- ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1
+ ocil:ssg-ensure_shadow_group_empty_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- The operating system must restrict privilege elevation to authorized personnel
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Disable GDM Unattended or Automatic Login
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-gnome_gdm_disable_unattended_automatic_login_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Add nosuid Option to /tmp
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Disable SCTP Support
+
+ Configure low address space to protect from user allocation
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Verify Permissions on cron.daily
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_cron_daily_action:testaction:1
-
- Disable loading and unloading of kernel modules
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Enable cron Service
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Ensure there are no legacy + NIS entries in /etc/shadow
+
+ Verify No netrc Files Exist
- ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Set the GNOME3 Login Warning Banner Text
+
+ Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
- ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Record Any Attempts to Run chacl
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-audit_rules_execution_chacl_action:testaction:1
-
- Disable kexec system call
+
+ Disable Kernel Parameter for IPv6 Forwarding
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1
-
- Install iptables Package
+
+ Limit Password Reuse
- ocil:ssg-package_iptables_installed_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1
+
+
+
+ Disable DHCP Service
+
+ ocil:ssg-service_dhcpd_disabled_action:testaction:1
+
+
+
+ Disable the uvcvideo module
+
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
+
+
+
+ Set Default firewalld Zone for Incoming Packets
+
+ ocil:ssg-set_firewalld_default_zone_action:testaction:1
+
+
+
+ All Interactive User Home Directories Must Be Owned By The Primary User
+
+ ocil:ssg-file_ownership_home_directories_action:testaction:1
+
+
+
+ Use Only Strong Ciphers
+
+ ocil:ssg-sshd_use_strong_ciphers_action:testaction:1
+
+
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
+
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
+
+
+
+ Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -43,15 +43,19 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
@@ -60,25 +64,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -96,74 +104,66 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -6544,6 +6544,22 @@
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
CCE-91341-8
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
+ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+ else
+ printf '\n' >> /etc/sysconfig/prelink
+ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+ fi
+
+ # Undo previous prelink changes to binaries if prelink is available.
+ if test -x /usr/sbin/prelink; then
+ /usr/sbin/prelink -ua
+ fi
+fi
+
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
@@ -6582,22 +6598,6 @@
RPMS.2017/scap-security-guide-debian-0.1.65-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.65-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-debian-0.1.65-0.0.noarch.rpm to scap-security-guide-debian-0.1.65-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-debian
--- old-rpm-tags
+++ new-rpm-tags
@@ -149,4 +149,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 00580c65344a14e5c56af6e7ecbb1a547acb08cf9d31b8c470475a0075644ed4 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 298bfa72e2809b519545d2bb6d50b63f8e213c389e2bf395b0093355989faeba 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 32033510919c3e38683aa1758cc2bf5079e4b80112037fc4e0a288c76387602d 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html bbd8e4f44496c39d6f08978a572e9228a002068602da5176ac04cbf04cf3d00a 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html d26c3cc8a0bef976509163fb046f7374b120f2c8f362916f99e12ab6d29ff311 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 044c3e284160cc47aac999093f23d25b916fe761cb66ac896212c4b9d265f47f 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html be3491aa61695febf2bad56d06592a9b85a70203e594ed3ee74a28f7459a41df 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 4f7ce7f71bbdcb31f2e05f0407a5dfbfa6717beb73e54b92380b0e41db7c31dc 2
@@ -154,5 +154,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 2fff7369e6d85ae70f03e816e566cad4ba713704ea3d87082465ddb9f43f4378 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html eae361572ef2681892a00805637e11b20fe2791b414dd20a959fc4e8c6d209a5 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 5ac5c50d616fcd25effe859a426bc1d3aaab78479c5d6d51e2cb6ecd8be531e7 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html f0ac128e71574a8fe006672d86edda02977e643f3497c9deb9e59108c12b8dae 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 41dde17172859be30b676cf5e6e8a8c235dac36c3fee78a31f9b2f099a7b067f 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 4e09424b09865b7b6e1a18ce6f7bf86b4c2f86ccbb43d76e7d31a10041e4736b 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html abe753fb6a234a83234fc6e61007c536e72b7270af784bb6335f0b124e955ff5 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 6fe58fbf9040c6ae00e163238b6f4194cf6be60d657c3a3707633ce446bda0c7 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 8e9b96baef504fa53d1d7da3a07431ef8b13d824702319623e8f5b351d99ef07 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 59bc81223d983fdd72724f43c2a47e1996b306b298ccc173964305380ef4eb91 2
@@ -160 +160 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html d9b8244c33f3584f5f8858760823c202a70e4073adcd8eb267307bc2719e55b6 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html c37393a5c7df4377a6f60ec2a3664529f95ca56882f2c9fbb06eb3c765aff82a 2
@@ -193,3 +193,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 72768e8f5d982a56a5c002f67ed399e91aa3abccbfbba8d0a075637d7c311b56 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml f4f22dafcd8360ab9a622a5619ce4c1cf808e48d67416079a58276c16e8c99a1 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml c1872f454ee9d8e9d8eb03e69a320a70ac24635a82721d1c3e54a620455fcf6b 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml a0394ae4623ee63b2f394ed882053020365f9fb55ff3a5ea0b7a8349350b7567 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 4e3071d31678912a111f67a2acdbedde43d63a6fb60d99bfbe1151d1ab282752 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 9bce54ef866c32630b4f08bacebf3009ba269e92a8f7c23cfe931b282e415c43 0
@@ -197 +197 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 27f5cd6a23acf336db7b6a4807f03f2a32dddfb64f2259841add5cca32f91b3c 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 1aac6c3bf5a79c25b0dfd0c0f84a94bf8d8f9d9d85b7cacc20c36174ec662d22 0
@@ -200,3 +200,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 02293c19611b1cb60280b1fd3498d19d906a353307481ae31027e339de0fecbc 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 91cd18bfd698192d580ec914a03dcfc125b4b583a76778730c2c1a4d5292136b 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 24c914fc9f29796b4c3170a7def4a84a37e21edb43a92dcc621b43f81eb06083 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 7406829e557090ce74261d7564bf9395621de6e8dc8145e1b8c572fddee80d13 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml da775106c6ce11a9b6b4d07c27be453e9a44fd2f5d88fe202c3cdf6873376d01 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 1878d4e3ce7218462b8f913c14d92db5ff37e0465aa6a99c5500e68ecd7b8bdc 0
@@ -204 +204 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 47c3bedb6a19e924214d763d1a74c738596935c531442491dcf601fe1ed251e9 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 80060bfe40d330efa89a75158c4b04d652af1775675ad854f82f9a6567f8bff9 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 20 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Group contains 2 rules | [ref]
@@ -483,7 +483,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
| | Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,7 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -400,7 +400,18 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
GRUB2 bootloader configuration
Group contains 1 rule | [ref]
@@ -611,7 +611,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 11 groups and 24 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -237,7 +237,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
| Rule
Enable syslog-ng Service
[ref] | The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -268,7 +268,18 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 22 groups and 49 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,7 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -400,7 +400,18 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -590,7 +590,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 19 groups and 44 rules | | Group
@@ -230,7 +230,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -276,7 +276,18 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -466,7 +466,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | |
| Rule
Enable rsyslog Service
[ref] | The rsyslog service provides syslog-style logging by default on Debian 10.
@@ -581,7 +581,18 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 20 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Group contains 2 rules | [ref]
@@ -483,7 +483,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
| | Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,7 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -400,7 +400,18 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
GRUB2 bootloader configuration
Group contains 1 rule | [ref]
@@ -611,7 +611,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 11 groups and 24 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -237,7 +237,18 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | |
| Rule
Enable syslog-ng Service
[ref] | The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -268,7 +268,18 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 22 groups and 49 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,7 +354,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -400,7 +400,18 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -590,7 +590,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 19 groups and 44 rules | | Group
@@ -230,7 +230,18 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -276,7 +276,18 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -466,7 +466,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | |
| Rule
Enable rsyslog Service
[ref] | The rsyslog service provides syslog-style logging by default on Debian 11.
@@ -581,7 +581,18 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | Remediation OSBuild Blueprint snippet ⇲
+[customizations.services]
+enabled = ["rsyslog"]
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | enable |
|---|
include enable_rsyslog
+
+class enable_rsyslog {
+ service {'rsyslog':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | enable |
|---|
- name: Enable service rsyslog
block:
- name: Gather the package facts
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -143,29 +143,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -173,24 +183,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -198,9 +213,9 @@
-
+
-
+
@@ -213,21 +228,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -2040,6 +2040,19 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
- name: Ensure aide is installed
package:
name: aide
@@ -2056,19 +2069,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3113,20 +3113,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3148,6 +3134,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -143,29 +143,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -173,24 +183,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -198,9 +213,9 @@
-
+
-
+
@@ -213,21 +228,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -2040,6 +2040,19 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
- name: Ensure aide is installed
package:
name: aide
@@ -2056,19 +2069,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3113,20 +3113,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3148,6 +3134,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,574 +7,574 @@
2022-12-05T00:00:00
-
- Verify Permissions on shadow File
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Configure low address space to protect from user allocation
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Enable cron Service
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Disable kexec system call
+
+ Verify No netrc Files Exist
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Set SSH Client Alive Count Max
+
+ Disable the uvcvideo module
- ocil:ssg-sshd_set_keepalive_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Record Unsuccessful Access Attempts to Files - open_by_handle_at
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
-
- Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+ Set SSH Client Alive Count Max
- ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Use Centralized and Automated Authentication
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Disable x86 vsyscall emulation
- ocil:ssg-sudo_custom_logfile_action:testaction:1
+ ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
- Enable Kernel Parameter to Enforce DAC on Hardlinks
+
+ Enable SSH Warning Banner
- ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1
+ ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1
-
- Enable poison without sanity check
+
+ Ensure auditd Collects File Deletion Events by User
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_action:testaction:1
-
- Verify Group Who Owns /var/log/syslog File
+
+ IOMMU configuration directive
- ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1
+ ocil:ssg-grub2_enable_iommu_force_action:testaction:1
-
- Record Attempts to Alter Time Through clock_settime
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
- ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Allow Only SSH Protocol 2
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-sshd_allow_only_protocol2_action:testaction:1
-
- Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
+
+ Disable mutable hooks
- ocil:ssg-auditd_overflow_action_action:testaction:1
+ ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1
-
- Avoid speculative indirect branches in kernel
+
+ Configure auditd mail_acct Action on Low Disk Space
- ocil:ssg-kernel_config_retpoline_action:testaction:1
+ ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
-
- Verify User Who Owns Backup passwd File
+
+ Enable Use of Privilege Separation
- ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1
+ ocil:ssg-sshd_use_priv_separation_action:testaction:1
-
- Verify Permissions on SSH Server Private *_key Key Files
+
+ All GIDs referenced in /etc/passwd must be defined in /etc/group
- ocil:ssg-file_permissions_sshd_private_key_action:testaction:1
+ ocil:ssg-gid_passwd_group_same_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+
+ Enable auditd Service
- ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
+ ocil:ssg-service_auditd_enabled_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - unlink
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Set SSH authentication attempt limit
+
+ Verify Permissions on /var/log Directory
/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -43,29 +43,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -73,24 +83,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -98,9 +113,9 @@
-
+
-
+
@@ -113,21 +128,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -1940,6 +1940,19 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
- name: Ensure aide is installed
package:
name: aide
@@ -1956,19 +1969,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3013,20 +3013,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3048,6 +3034,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -143,29 +143,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -173,24 +183,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -198,9 +213,9 @@
-
+
-
+
@@ -213,21 +228,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -2040,6 +2040,19 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
- name: Ensure aide is installed
package:
name: aide
@@ -2056,19 +2069,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3113,20 +3113,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3148,6 +3134,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -143,29 +143,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -173,24 +183,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -198,9 +213,9 @@
-
+
-
+
@@ -213,21 +228,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -2040,6 +2040,19 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
- name: Ensure aide is installed
package:
name: aide
@@ -2056,19 +2069,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3113,20 +3113,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3148,6 +3134,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,574 +7,574 @@
2022-12-05T00:00:00
-
- Verify Permissions on shadow File
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Configure low address space to protect from user allocation
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Enable cron Service
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Disable kexec system call
+
+ Verify No netrc Files Exist
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Set SSH Client Alive Count Max
+
+ Disable the uvcvideo module
- ocil:ssg-sshd_set_keepalive_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Record Unsuccessful Access Attempts to Files - open_by_handle_at
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
-
- Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+ Set SSH Client Alive Count Max
- ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Use Centralized and Automated Authentication
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Disable x86 vsyscall emulation
- ocil:ssg-sudo_custom_logfile_action:testaction:1
+ ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
- Enable Kernel Parameter to Enforce DAC on Hardlinks
+
+ Enable SSH Warning Banner
- ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1
+ ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1
-
- Enable poison without sanity check
+
+ Ensure auditd Collects File Deletion Events by User
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_action:testaction:1
-
- Verify Group Who Owns /var/log/syslog File
+
+ IOMMU configuration directive
- ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1
+ ocil:ssg-grub2_enable_iommu_force_action:testaction:1
-
- Record Attempts to Alter Time Through clock_settime
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
- ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Allow Only SSH Protocol 2
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-sshd_allow_only_protocol2_action:testaction:1
-
- Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
+
+ Disable mutable hooks
- ocil:ssg-auditd_overflow_action_action:testaction:1
+ ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1
-
- Avoid speculative indirect branches in kernel
+
+ Configure auditd mail_acct Action on Low Disk Space
- ocil:ssg-kernel_config_retpoline_action:testaction:1
+ ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
-
- Verify User Who Owns Backup passwd File
+
+ Enable Use of Privilege Separation
- ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1
+ ocil:ssg-sshd_use_priv_separation_action:testaction:1
-
- Verify Permissions on SSH Server Private *_key Key Files
+
+ All GIDs referenced in /etc/passwd must be defined in /etc/group
- ocil:ssg-file_permissions_sshd_private_key_action:testaction:1
+ ocil:ssg-gid_passwd_group_same_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+
+ Enable auditd Service
- ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
+ ocil:ssg-service_auditd_enabled_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - unlink
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Set SSH authentication attempt limit
+
+ Verify Permissions on /var/log Directory
/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -43,29 +43,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -73,24 +83,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -98,9 +113,9 @@
-
+
-
+
@@ -113,21 +128,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -1940,6 +1940,19 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
- name: Ensure aide is installed
package:
name: aide
@@ -1956,19 +1969,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3013,20 +3013,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3048,6 +3034,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
RPMS.2017/scap-security-guide-redhat-0.1.65-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.65-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-redhat-0.1.65-0.0.noarch.rpm to scap-security-guide-redhat-0.1.65-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-redhat
--- old-rpm-tags
+++ new-rpm-tags
@@ -739,14 +739,14 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 56a8c3f1bb6e7b1c74f91625fd2164f065b03151a4a4e1a86f97943ed7833418 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 962bc061afa0b2bbdcbc39dc11145f61d79458d55cbef4a9402000a922707851 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html e713aaa221656ecc5c948e77c07c9ca5a361be444f6a3911d6a07e99cab82e84 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html 41f981cbb72b3317b1f95c55f48a39c986d1db530b5d8dd6f17c833b2871d0ee 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html 060867a8d9526b0d91ffd7957ffa98ce9ac60e99be36644c31a1d2593e5b7224 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 894d5827e8188a026fcb7d3cb43345a89f7e6c4a0056c7c0c4c9ff5458a69a0e 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html a4079158b921bc179880eb9e81673fffb22b23905678ab60aef0cbc577566fb9 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html 9b98591b32946603c180ab305da45407a89712b64509db96473df1f07e546c71 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html 71e702d491b363807530bb5f104984073fc79b31906e7de98c29838850290743 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html b0e0455896ce24745da4e9375acc3f70991a47c7c3fe20f87ef3238a2517b467 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html 33030e73aeaa5c853baa164b6930fc109adfbb914a0d5f4af5cabb95f003b2ca 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 903cd0f6c49d3706074eead302586a33512278e7993b4adc0479ec90c9a17b7c 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html 0024336bbdabca6f75857789913e88d2ea6ee28bf1e210b4a76e4f398c85bcb6 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 8514d5c0217a15c8f1c309ca52528cd2be1700ffc9d8bdaa2fbec05adcbd6e54 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 101d649c7273a6e810466a838f060c5f9d8df21ee34ee7968499d707bea9ec09 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 4ec421df3341c203f985c3880c0f055191bd4158144ad0dae5e4e7df19f0b642 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 399e6e1834aca92ead19cbcb69941a339263c738959104fd4a690a7e841260ef 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html 6aab24d923cb835e3a6f61bc5c62960614fc7ccc9506e7bcbc7d3f6406803091 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html d42d1067fc5b487b201659f018285147fb9ce36b15211467697c13dee9417337 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html a7cb35dd264557d099dd86773a5a797b11354c35eda92cfd565da8906ca117ac 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 4f306cd638ac06d9b78c31809e786cc14b52f79e90b389fc428392ee668728d6 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html cb1e20164b46ab65e65a1d1e10d1148acf007b3423b44d42c1a7711f7ea6123b 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html 512cf55ec5b415198d84a05283e32e5d874955dba20cb1da6156366e75f90857 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html e00483e57da76b408b7983b402b2c859f8cd56ba78f3f2376f3fbd2f365aac95 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html d469967daec69fe33488635eb7e57692729466f6d61bc54659a1ef34fa559c00 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 270d5a4c8b0bdc77982a03749b3c5a5f7fe8ae43e715235a4ad834d2c094fe5c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html 838b0eb3e3799e2539678db791f457a517431856b60da7d722696c8fb0c51eed 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 3c9adc0b66bd4682a9781d2b7de25204f5070af806fc78f10300b311f60c59b3 2
@@ -754,18 +754,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html c2f00df670ffe4af827baf72e8722367844face76f7ed23a8000ef645d4da357 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 18971849c9bfdffd0b24501ca9678767e0eaf53ead48cc0eaee2b38268de6a47 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 23e9e88a6bfaaabc300c73817a13a406896da06ffe15187fb4c76f7bcb1b4c4d 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html 99aaaf27444323727180516c3016f80723768be5f109476048e96b9438ef82ce 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html a26a2894662c6d7005cfe4539aae93f3184c5282ef691a819e6f8823ca0baabb 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html abc60d7580b2840afabaf1f5a60aa13792f910b90bf652609a6019d1ef16e56a 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 222d2852cb04bb18b782f4533af5bf4132bd468d7a4e5eb9779dd9481ec23bfb 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html fdb5bca6dc7b5e670238c33ae216d76afcb56ced46870aaf5d68e2a20ce26b13 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 0ab7bb693f5087a28e244541d3a6a8ccbaee168b60a3c4649fa9696cfd9ff89f 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html b2dd7356bee0f1f7f98b629ec7cf892b9dfcd97e8097c238dffe83f053d75b39 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 411701a6d530530084c3d151dc5276893d91a985e8ca5a2efdaecad86166b673 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html e5e3e082dc4fd2d2ca751856ff93dc7c2d9533629242b2136c596be90ad6aaae 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html c4c25dcd6acb99be4f7a90243ab1a4000759fec6318d08ab3f024dbe331aec37 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 679c9a63492ed24dd65f68e25af50bc731859bcc2a6f473a20ea2917609baf0e 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html f09be1e7b79c0f271ee7aa22d269ffae0242aed6fa5e47c8c123f1272f8a4917 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 9793f86c44b139b0177c9de9c640e5ec3c99f75bfa3e3ed4d0ce2742009a2a2a 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 9610fca7d481bc5a9fb7a7ec2e07f5dd66cc183e104e0b047fa167a6925083fe 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 47e6b5cd0ac625b873435b9bbc07ff3b4aa8d5086ba0717ddc65139598957c26 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html 5984949fd65887236f6c733ea1ac0ba4533eef13870f79c8464a3da0287b2d96 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html d852fa5d58677f7fc03ac2ccf5be27ada0c24e9fb468949e406d50ede1cd574b 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 3a24a4d65c5544a8516d767f11c65ea099ca16fa8b3348de30e51d526a77c681 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html 1cf542103b6067380850c6540be036b8844cc0b727d05c466394d9bc9ee4f8b8 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html f087e72b1718a52adcd3b14a32876861d1a5a9bbdb1f028507460baec5a74e47 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html fbde2658b7a8b0bd19233609d5b68edc6e2eb2f163774052d3ec60f5bf264f6a 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 7ccb99612985ba85da8653204e802b6cee76694c6407c588dc9763cce33529e7 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html c8cdd2e67f32bc0b3ac6fc2f56c79af2be8dd2208a8122045a3747412ec350c0 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 0b138eb15231ac46d5233423ebd91ac0a06806ff96e540fbd900b37db79e6d26 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 5cb2e7ab567182beb4926e4d2d8dda2bf7ad6258023eb87c8330dd58f3c18499 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 6cc733a1363f169ca858cc799485aad9e70e8f1c710b9e5bc489af55cc0b6010 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 6f343f8970784a34c72426ca5b9e27d096d69dd00a3cff4f2a07862b6ce8e160 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 32be0ff2d2291bf6d159a00b10a0f51a1333f3314f85ebac3312214e2df15761 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html a25db390d260f810f13db30d1112f6bbeeca573d54b4803e748eb887aa49c5b1 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 0d27569c5e1aeadfd26bb8d7c70ba0e5cdaaedf8fbf7752b164a0b728529565f 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 8ebf880098651386930dff062e513de3033c399f5d337ab93038657fa6c01bb1 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 876791946165d54a29d6d4e7f77059f6b1c8de6676872aeceab603df2d81a9ce 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html be0229398d1c771092ffe34dab908252d671340479cc82ffa5f224569aa7bce8 2
@@ -773,5 +773,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 4a15e59b30034aa4cb6dcb897977aa43da9183a3cd53ac77d97a9a29b3364489 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 129cc8c25265ee4d212578bd04f00edb9d6080a597b45f0673d98976d17f433c 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 54379ff9fb20287ee5d2de3cc8012389563bc13a61dc71cf95eec94686baf86b 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html bf73461fd3a26b75c60a3e10fc40d1ee3a00d991e5fe76ffbbd956a3a9e9c308 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 15a768eb3aa0c4a47460cc0373e20e342421a678e38b0d1ef936e07ea9860f86 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 22cb11b4d30abfc1ed9c52ba68a45f64faa2d57aebfc4f4997424e84471c5d96 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 8dc49a4cbe9885db6732ce4383dd1e27f70f6830f6e24ed14f50f8f1d5d3983b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html c26999e71489f29259b9b928b97b4a6903c1e106855d0a334518be19e6574003 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 496a263226a639678b277acff07ed82fa756ed97c5a0d173d257154536476055 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html e2b5a0dec665efbd6539e97f798d19c6980da2e889feb83f0cbea319a4f7206d 2
@@ -779,11 +779,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 122be7a8a2fa7b9fd24e3f9eb09144a395079ba4e66a28db7c4241a4fdcf6938 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html ba290f8676b3c1d1d6a5934f1adee158c03a10c1a23dc6b54bdd27f0ca3ef434 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html d2d5dd44d096da2724f899ea63287580c011e67f62e856bc20f3828995615703 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html fe79ad00ad8097cba1686423286701f9d75f3efd656b0adbeefae52b94092510 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html f066cd94f89f121e9429c41a39379952caa104223bebf3920a4c4cdd2c42191f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 3ab18a28355d36575a7f0497d9fd5f40d6672102f118be0abddf82464a418215 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 93d8fb7051b049e1f41a846e6a807caae5ad43e92d649468a163361518c48f8a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 9dd12842c7d5c597ee0cb37db412227b5a5b39261830ffa63bae6c87b100e3bf 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 492a7cbeb7876bb13b6655f949a8f68cb3ad00a23389b78f83e9b1183666c3c2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 5456ae1c8daef12bc209626ba354edf24358c5510c4aac9e8d96b9bc271da588 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 189440c876ef98ee37ff15ddd430d89538a14a9d5eaf9e53885c21183f147003 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 7e469f858340ec85fac05d9237992771a7167d7d41bce4ac5901ac7a4df4a0b3 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html c3123a93be870da6893d41b7c039c700176cbd2da07e62dde02cebb542575eac 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html b2fec6c2bd5655e25a7dc999bf04f3594159a3cfcac0d36bde994c6036361073 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 6881e67726e2828dbd3dc680fd8b4d52ccb9f42b50ced2062b1255bebea494dc 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html c4c27efd19c03f8b834b1ce3b6480d69613ab39578ed7160ddc87fa798f9fb1f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 62afaf5782e6cfd2905b768df58cccc75df9f5633c473b011bb24729fec05570 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 3d3ef5577ac39de5e0e5832c6737b4d41bc237fa431823e4761afcfe339d6102 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 87483da5b7913ff0fae653bc3f6ee7c135917d936349a49ce84cd64675f678fb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html be4dbd30f4969d8059d6823c99d658e740dd5f771fb41f23a8d3d98f48e2b8e2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 7907f2f9e2c6f9606d790ec10ad06b4b8e91bdb6026a4209bb028a8d6ee491ca 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html cc8922ac1f652664fd7967c1b81ea09d3daafbc006ef41a879c717d0cbb2f6f8 2
@@ -791,15 +791,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 7c48f6ea2bffe60d9148104e127f5c33cbf97f8d54f2966daaa05383907f464c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html f0773aab1c3c3b0c28eecbf7eeda6c2f0eb37531f5b8ff158982f0d99bae8074 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html ba796ea863509543b0e6fbd224876adb13974fb15c3ed72ea201bfd9d9379ac3 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 5c44f288a0609581affdfb9398e2d03339fd0abc7e6d59bcba3480d41e0b168c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 35e4c92b09e2ec883402b2711f75408ca1be896423588c67afe1a02145a26420 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html a54b8a273be86c2cef1e33beaecf16fc6e58644e931f3a16344e47e125da6374 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 0434d1cc868a35835b4e9bd90b05dcb6d16765567dc3cbc8b8da11f13f2630d3 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html e0b38ac387d46c7664dcaba0cd4054a15a53b4ee3c4cac07f7d6046309d953d0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html dd48897c76bf177ae4a89eb54bb99b92ff7c5898534490b1e9537e9bee85b8f9 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html c370625887aa0bd85f4c83d34498219fb491fef5620bc456e662c5f802d7e95f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 686800e5eac7fd9e3a887d8eb63c3c941db4b2b76b2c1ed07ea554e8d4961e7e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 7641e45b0c48bd768f0789a06bad6d7971e751d07f0dcfdbf1586f2e0fc27290 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 6a45e7903e6a9334d218077dc4a6c536643231171e4dfcdd56ae9bc2d26e0a58 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html d46988dfe662f4610d1e95621c8fb8c63ad6739789dafac9ff024887b11c19b8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 8eaac7aff4c05223212d739a07a64840c4e4ddfef784a7071f3c52e66ae02d83 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 5159d048fa8c66cfecd0445f527ad5c2303b5a5f152261162f55cdc92d0c9d4f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html d0a7abe1d889d9fe8b7bf8e194a40408106280969b2327e44c5e0a51c72493f7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 300a03e67b5e12b829577eb93b44d5d2c026a5d991aa64b70c7d508dc06ebfa4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 7c6dd17688490bb8411df7271759bdde81809637320b7eb78921ebef6979f25b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 94dea0a994116a6b81b142d11690bb93425648b904910dfc6c2992242e73b3de 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html c4adf95c4377277b10207ee504bb91f23866e5922182bd5289db08b3609346d2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 28b2f77c491d0a6ae47ef3cc7f1098283362523a2987f6b712d8316e00a4cf49 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html d2f084a6bb9ce58ae24f314aa958ff1d64717d12550afe845cc506f8d1b71d33 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html d5257012e9c40bbd23672ef08f1d3092cc4b8575025eba791761ea494fe409b1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 84b70ebe800f5302646bcc5b534cc3876f840edc854ace98148aaf9021ca2d24 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 01784ee3ebdb249bc1119b29a843c16a684acf881499d0c619d383ed1dba0945 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 238b23e44b3d406b21a944b21eeb1c112a836c32ce07627e1ad0bf2c096e155d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 8bebd582ba5bc28238074e782b873876b01af13a8fac305b27c233c2a89fe0dc 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 758d8814745bbabc3ed8847b2a776af515403d4efc7f1f44ee8d3cdd98f090bd 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html d5429ac296ba9b3f493c365169430c7f45010c4434c59179bdd0386067acbe7a 2
@@ -807,12 +807,12 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 4b438c70321d0302fc8aef273fbb13c50be2364ffb23eda8a7753ee3f4644d7c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html f0ce7c097ae554e27cc69e9e684c6db41ee25061d3960aaae2722bd4f8054d3a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html f68742f6cd8587b487a9edb27485ef6064baf5bf39cf72ba6a4d7ab8f256900b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 7575323550e7bc66480c0eb47d4ffa41f5c867f478a801549012b04846bc252a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html c80f02e2fe44f2cf40846910b26c5f4e1021443099d944fa9748dfbb5ac610bc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html e308c9d584dbe84c5a596c9dfc3ef434f85faf9d1d19b692d228f237348a957e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html f07b550dd559aa712eeb6eac8dbc67b211e7035c0f289128bbc4966fc78733d7 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html 9d1aabb8aabecf5f805df583cf6957e538ea76899794fce110eb53a9a7996529 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html cea3c3d6ab750add8b25d138f778235233b78d05d7233f523ce77754827d260c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html 55b0ae35603b573d24a68b67b30fd5a092ae5cfc8db55259cc247e5e39743908 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 8a010fb03c8f478b84e6e73ad06d185a6cfabe800dadebabbf244fee23fd8731 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html cf93a1c656434137b02c97e8a7fc8b37b6388dd4cdbffaba6a465b3410918fcb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 58091d3ea34f367a31972c581236505dc95a8b0d529dc15ad5418ddba20e071b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 62e15614442f3bbd5c8f243ad9f84485ab56dab6cb7712afa2e313c0bc241972 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html b9c88cf2705e117439ecaaa1badbe32199679a8a68b9a73423bafe497eec65ea 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html fba2eb426399161727536f73800f5b034c35634b2186996365e7747be273899b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html b90a1422874bde6db76b80bbabbe17cdf56db8e4bc4da695374a193b2823b5e8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html 2373449eafb695360f61fca30d450f035c7b417660f3b624fc872859be497a5d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html a5aa026a24d236d1a6c80e70ac9f4440e641ae844303dced06d551ccbb86a9bc 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html 1b63314b245115482b3165fa848b24e7e4f9b659451680134216e70c355a17c9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html 29bb5b5afa36e45da3808a1cd58d0550927604b78acca7809a655e7ea4b4e36f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html bdd83929498e0377c30effaaef27846c3388f6aa70efdb0217ad47538f72631e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 4f2ef855d09c78852e400dbb1dd50b0ec256ef34f37b9da9053b2712f091c5cf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html 25429c869ffc5dca51cec0d70ad0495903d004e57b58cafcf4236b368b70d572 2
@@ -820,11 +820,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html df5223d58a575263c00825099019676c5143ad4b45d16ac026e1c9cef566128f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html 8ac2bc4b214e54b13a43d05e6e61e295c98e039404208673b511ca7e459da4d6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 6f36ad75de07f2731696b78a09bde1de90edbad9d1f5f17e51e5505525fdaaa6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 285f0fa75887c0e3cf25fc5b59ee829d64e0dce38b5735bda1df0eec19c5adb2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html 95688b169bf899687f315cc61281633b1c175d2202ef1c920a8309a4c0e1160b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 3e6ef09bc39f3f4c85c4b02a6b1d15daba24cf6b24a9a2a5f125f562cf4c010d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 979e681f1219df60af739fa3179c5fe6cf12d11551b855283ed56f8325582c5b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html acf384f84ff99bcda16c2b29cffcb3c60c08c581ab6ec387766b262f4795b0e2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html fc3b36d8682678eb544af10d632fa1f12a5fb1a0175e0b86d64569bc399e2af6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html ad3fde681f5c742d40ad020e8aadca1c1a646e0f985eca1d39a1b01d2b37bbcb 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html ab62e1907965cd19861451ce2eb97c1dee5a4e8851d5cc98a1cba4f643b8ed67 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html 713888fcf5ce499c447b3f2f45fffc2af40fb6eb772c0025fcbfe14f78ea8936 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html 5410731dc2fa5605daca6aceecb33179060e96b59f877905e6b1d4dcd18c14af 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 8a30340406e2fdbb6b8d16c7fcbf2c20c70604df0beac7b57b9498164bc7db83 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 0cf10984404a3d225e066ccdb646a91982f20b6b497133610f60318e9d338140 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html 7c44c41963b7ff551798839ffd1d7b0039a9e863b80550583f3ab31f9cb11a5a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 03b633183ef915d61cf814a35c77c5189e0ed4387a592a15b9621ac04acbf478 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html d43fa4a17073486a28ead5105bd294f3281ac3d10b2bd3aa35930cb000b874ab 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 524bdf3428a9701b6f537a8e1feab24b3976d43ca1aad18cf048edf0824be9ed 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 187e35afb3329bc617814717aeb811c47660094b427eab7c1a5f4ca00731c896 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 850101cf8bf2381bf51b3f12507f0d5005142bd5373edeea692fd9d689d92cff 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html d9a4c87793957e08381f950698664a3fb444bef313784d7e578623218b78840b 2
@@ -832,15 +832,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 174f31c8ba4d046818d99218722f82e5b45cab4298b202ec02336c0cbd32014a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 8c0cfe468c132c42869c3807ef76d2c7aee03430bd47c33e7948927cab9e590d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 6e383062dcd01a43ec5e02a89c77c4c69513d49e826d4ed34f3d0da0096521f6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 77d0f092d8a23f56866239493ba8bbd0e0f4fc693053d779b7f711fb2eb00ab1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 56044b56286b0c62c26a0a276db3188145b1762b2203896c42a9497f0e77203d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 006cf26ce6c87c83c6799d749d12ff5db5846479c35ed9d920b90a2f1ff4055b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html eeb13c356308c6f959e047784b29c75682571e2d04c2f132c9e3c3110ed46b47 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html d98379c28b0311fd268d0f9dbc39c72374684413ccdd5646814799f17d0f45d1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html add2bdb92e16d3b9062f9bfcd7cfe616c68787d536fb4cab57311d557507852b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 121d29f579dbba0413aa41cf840f58923f14874d8cc03cbf43d12c69d6a16348 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 60402fe01e92db11b94d3ef0e9b4d9245530d75ab069f61551b307174f5f5e07 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 3e2e5d00425003cac7e83154e057d7054b4e59194dfa1ba1f1a36d744996a72d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html a24b1c6d315df099e0540bea5f5d4b6674456802816737a8a90f2ee244979511 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 6a465736fb140f82fa61cc05ebbb63537e21ca61cc6b10c72e90213d6ba3e5ac 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html ff5770a6fbd32b412e7872c6c0e4f24d44004f8b02a49a8fde696c7a8504fd76 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html ef90ec4afc83835ef0d73541289b19dd79c79ca18ce7514b5c48b85b5c73ea40 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html fcf935900f59b526404ad937a1236bfb13ba73aa60c44dc2f7cfe140e37819c6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 3ba5ffe3320e96aa252848a43d84c6413acaeb70f42f19b719aad9b48625f0ba 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html e0fd9ed9669ac9e0d3e4da58aef517e6c3672169b722ff8f33f666618c6b840e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 338567eff228a11398c0c435c5c65be0a60a679b484870ebd63277497a9c5161 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 5f74d1f574c15be1f29740445deee0c0b02851cc1ff1359a5f8c080ea73e687d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html b9371d58f78f3fb8a9cbefb0007fa7a80c610ef131f165c9fc3926fe684d2c12 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html a75db64be0de8a8b5e23f75f6a98298b24f146dbbb8c9f85d9ae7d21ab47ff74 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html f39e701fc20f9be478fb6ad9b56353965cb5dd7dbc7b9e7325dc20b10edbd15a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 139064fe0c30716d2f81c533d6fdaf3c6d4c0dba8dfdcf47d2336978f8d59974 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 5b42e9bdec4693a9f01ab7bc18a5dcf0b2306fb5b675a58377b0da14d1ca802f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html e55d8786b45525bd07e18239b8dcc3c45595bcec8a01f117cd7a792124098c97 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 9998968739314c9e60a6a8f700df1d3987d9f4a050c9f5ebc89400405a802fad 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 22a135e5f6085322eccb83f3b326106606abf2bc66ffbbcd71bc4e03b4d8489c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html f933df392a0c49bd4343848f1b68224a4956484bf9d693fe85b664999bedd236 2
@@ -848,21 +848,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html b9db11df4260cf2a6782b33264dacf3462814bea0f596ad489ed9e293ec20b99 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html ae3211e0f0e3290407a587bfc60695c3e922025fc02c0838272e8e806178553a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 319d222b8282dc458e6cbf986aca0d82257181973f592b412edb03c04287a9e1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 122f3c96c3f91456fb5921ecbc8218058ca56a93a1bc17ec3714a71824e77f50 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html dce8ab366a5ca12a089b9a772ded132ffcb9644136e52e0766d56e356e1f5ecf 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html ae91f94473ec4551391316d6ce6d61ea32735c9e0ce33c2717879c9d1d7bc29c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 2e5b0ebaf71cae796c18348123d1c13a31c68c0d14d56e2e4977b2cf18631f54 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html b5e6001ef70e505774f22deb751ad23f306587a591926ffe6fa5950ba6fb3426 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html bc32c6450db3102a2762c6178c8e6c1655fb0b9f7232f4b0a0f80f988136b378 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html fc8d770385d8ee2aa3834c6948e664536682999931bec130f4b18c8725e1ae60 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 42802122d18439890654a2887c602d10180be486145606d2adc4ab504e1dcd9d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 1a3699f43367f1688bf3d922882e67f344edea46c327f189428a1bf1ab69fa33 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 9538584a6591ff0140e64de0b0c7fa344561cbab613373b5d90b53a02624ec2b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html f4e6262e08f46a194f0ae29fd6fbd4082cd3232aa3b646903f9ead2a28140bef 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 7adb9ecd7b0dcf76a97da50f61bc32b331a24efbbd34f2217498e068728be8e7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html b18bb7ff87628cc5d3bd6f7d18ad370f706f4b0579a0cc66fe4b9e123a1d2912 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 5b7fe310849ed383570b70074f5d5aa7327b8a51d3e78a9ef441717c79e6f1e1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 8d861ac3542c0ac617971f9a1d54bff16619ffa0d5317bfcf5dbcb78c4ba0538 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 549798ec3e2541c2d0e9eea01a22dc42d979d7b4289ebc88364025f043464deb 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 69753e88137c3a013568ce6ccbca7b99679258b7f4db6349397425c9ecd74c35 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 804d63df50071261db80e24a964d9edb04e1771e4a07ead63dd0f3885ae7a1a7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 6db600cc4613357ee6632b7085757f694bc3bff21ecb72823101928ddfc8e935 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 49405383a5a2a4b3eda49dbce527142cc2d4b3126c6d656b0f7bc4fc8f0c1150 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 130fc84edfe49528bb728672f4f1b726d74a20ead7ebc18e21b95daa3a573d4b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html f76ae75be29b39c105b42bc8dea731d7955b31b041c5213817a4f3e9f480ee22 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 5ee17f4347584e8ac46fc8910018fc5b358913888799eafdc3f93c0679fd66e3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html af3e4cceb7d6198d24349d5b3fc980bce1fc8d1e381dee8bb0b16966aa1e620f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 53ffc412c506196d27c862ca5d5bbb1e054666e0499b21da8673f8e5790567ed 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 904deac3e943480a65baf9f3cc5d512e345dd016792a70cf7774cf4ec2b7f6a0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html d192ef1683e291bc407157c1ac558e092ace37e1e726e67cd36a110213d1c0cb 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 5d4bef514cfb9d6d37d9e5bede2a8aadcbcb60f57b654c93cee67e0c2be20a4b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 81492c28cb76ee16a9f2fa5c0f7433232969b0a975ff8ef83a78a3f3934ad2e2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 90956f81a2ca251bfd36087107ec00ba9efc7f892e906f78bf3292bddfc838de 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 5f2a2665826d59394c180ed41a660eade10a611e97c32dd4ab9a71bd3cc872dc 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 1ae2cd280a87a33bff292467f65f6ca4a165d35140f2afb389cbae59c4a2f20d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 857c782be71170d41d4b775e4485b0c4ae862e09b2b036d2b5a6f6e9ae4dd6f4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 41de71bc9a54bf5ede8cf6a59f9e8f9fbb9250c1cb0ab616dd78be6c75993185 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 1da344be5398cc95f6f87c0a64c8f9ab7cbabb75cc0b0285bb84add64cef931f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 47cd0484719745b13b59ed64e6a2ee1f9085435562af5ada91c01b3d3640abc7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 6691ad87f2aac06f558b5aabdf82fc508b117da6c98cf0daaa922ade07d1e983 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html c1108c32fa02681976bfe238c6d0748dea4d997f76480bcd1c8cd12cd5ac9e02 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 8766273e9248444b1695f63cddf7874ddae226fb2455c715d527846504687024 2
@@ -870,18 +870,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 969d39ba30c51547342fb30a1d2d39c35d242db099ba4738beab5de40ee57957 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 8c4254b3d5213adfc226d1e31cb7d7bc9f9fd9642d9de3d025f9d43539903f99 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 3ffdcdf1cd40a4d191fbccf05e7fb8ae806edfec3ad87575f409ecf06fe6a48b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 0abb45379950dcf53eb9629ad445087504c97ef73547b974971f68f2eea348b3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 582372880016dcfb1bd31adc50c5b8ea7959fd0298ef2db18f9abe5470405ab6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 8afbdb00e9978a0e0ee94f64ba3c269d0a5aef06bf36831a57b71fe874a95e03 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 675b2f0335ee8a1ae31e851da0f20cabba21719f63e3b2a540c93ca3c000c29f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html ad2a00ab96137960633821b3fced9bcfffeffc74d6e7cff27499f0a32328b3de 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 9435be9214fa69286d7204916e001126454bb56d15f6d921bab72f41164ec579 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 7394d07d552ce7d05008d97d7d50874ca6c3bd127af82a042ab6e5b2f4d87f34 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 35b2b6b907a60939756124c0deaae91f9cdc5e9b94b48188e4c932ee8432608e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 02fed7383f606242965e9e5cc16a9c8634e8ec0748bbc6177ae8554e3326d9f1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html dcc75b3848d65097950fded781ab40f131210a290b445bb20ebb923262255f7d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html a3d3b0b9e24bb6282315b0807469664281bedfb3eb548582279969db80b1beb6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 2e9f966a9f7a5bd3380cd6a4f4ca2ac5ce3bff62e9dcc06f656f499161e0e377 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html e4a24b36770a020d06ae11c32a1920202c4b40dc6d2cf8fb607f62701a1b75b3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html a07d9e3a1f4ffff2f0f5c54a38a987af3bc4c90ad4507cbed381a5fc3609ebb6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 0b9737a7a97b370a2035f6c2e8be93e8cf41ff0e7b0afdda80c89d302ffa54e7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 97b7605dbe222f68464e2a397bbb68c33a09326e6becdf792c674737eac35fd0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 3b322a34f857a6c1941d87d50f8578a96f8370f8eeee08e74e10481ba4d699f1 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html dfcd395b6f8ce223ab4907e50c2bd4d196f9824a44b3395b9a785595a024707c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 18044d6b63c08856eced46adf85dc3860d642bb7be8c8d1d0f1b781a21c63f89 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 09c96ba860da31990a2bb2ff1e06f28bca8ed3e4ff0c6f3d3c9c49100fb03483 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 045ef6808988cb56d34e45e4aa3d8d00c191dd4617e5f0317d08e1a29c31112e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html cdcd73185ea64fa4ab94caabf3936935af96c45609c9a840321f56e37db4967d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html d325e61ee711fd6ea153452869835a6372b45629b22b4c7065ebea107c693d54 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 5275c9b22e0f83d2c5fdc255d81c6701b46fc39d61c71d57e0dfd409820e9be8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html e23bf63ee231712684647d486c93a4856dcbcaa76c9ecea20643242b83bbf55c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html ffe72fcd4591491edd1a276f030ba150b00f0aad3bdd8b150bd1f78b0f6f1b8a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 5a1119088171f46c83562b150de58fa18670c84944479018e7d6a63a20141c74 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html b8fc5f5337d2e99aec12d7932c5c68e23f372a6a8a8829c7ab6913948b339638 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html ec1a0d5eb2c4a609a52ed1614c5431bd8346c15b377dafaac1adb8a157708d21 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 021d31c4f03d476eaa16ec29d8649b830186527bddd37f303a74f8249eaf8e87 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html a0863fa988abe586380d8033aec421643322b604021321a4b491acd3c053dd4d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 3d6a42ef5ca8c16803c6da5acc74ff12a31db9d290857eab64e89624aeb3faa5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 98a207c78f5afeb45a814fb29a6e2f761a5e4fb3b9d56f9c233d9c6fc1a4e386 2
@@ -889,5 +889,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 5d52946a37ced89d977b449e4fda7204553983859f05fda0664bded5e3a96ea2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 6fe56a3159b5339eceb80f96b2000d95f0c069c0de86c9beb6bc99dcf17e60bf 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html aa51b67775b9f8249fc7af1028c9829dc838c959532cfb0a14055cb026a54537 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html a923b168e70527ab47f91924ecda17b4d828e5ddd9bab4324bda6b92084224a2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 8742e633a1c24bc0ec1ebff12cf8e3bbd9c5891092cb89d526dc6cc71e0da457 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html fc17977942acd6f6d0f25d4d5938ca48acd686703cf90d8c245144baf2538997 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html a5aa6a488348dd20c7d1de07f9377c2d60889032d14488ea167589fa35c5129d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html e4a3a240daf7f0cd3e8804acd15449148894675af3b64626c003d7ff57d95a02 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html e16082cbd1308b25156ad405c69f078d0f98c1f62a374d36ab29e3109104c4a7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html f4cd6a7c20a7dca9f4d34004be59505cd0dbc4ac92ff6a3a3b3bf95e8eb57c4d 2
@@ -895,3 +895,3 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html a6ddd0d6c814884f4c91c7ae56a82657554646aae0666126b30be35e6a3e14de 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 92056e174c815ba6321b630ff0dcd3f87c3440fe0a635cc50fc6b176fbdeec72 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 4271122a148073f887245c65dacd4d15583b6392e57be183323269a175f3a3ff 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html e094b610527170c298e97c4b8df1708d8b9abad7c061d22c0fc935c66f3c626f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 9c01e6faabe8848944f71994b69f1f840f0a9f2dd48112fad104c9248980cda1 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 6075514179fc7dbecc1c7056a71f1341fd24e75a3c6af9ba857b0dcf89ecd497 2
@@ -899,2 +899,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 401ee647a4e8bb2418d921e28c2fc3e657dbf6c97d835f1200774306419c5bf9 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 153bddbdf1d26e56284e158f89ce977d48dbf44a26aa95d622ad1c93983b8310 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html b732c58e0470864f627467c2872fde285bbb089cb98fde673dc9d9161aaa81df 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html eba312c59ddeeebf726dfaa9b67d9fd9e6102fd1768c375bea1139f3c435b4c9 2
@@ -902,2 +902,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 678ee383478fdec93b385ddb740e7c54711315aaf0f5bc199184a5f04781871f 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html cf52b2e6e49ae4112bdf9787cebe82583152e979c69dd8968eb0c2a37f819ba3 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2d35a56d10acb8eccfae8fbedb9c5b902102aa42cfe2e67aa442062bcbcec125 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 5c8ea00d48a41749c35d29ff405cd052a5e66ad64dfb6cf4bddea131ee89b4ca 2
@@ -907,3 +907,3 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 962130a08c2ea26148ee77db4ecba03ad5b83c4b4ec5363786e6806a14a63a5f 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html edaa58ad0a325409eccfd2b37ecc3201a6f7b69f521d29016094c14b6fc61c99 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 5ed2408009e7471717618c1b4aaadb9d84aa09463e384dfbb31830428d08cda1 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 121872d4fdf1aaf09f4376879dc69b1c00cf15b900e487518177e46bba319f48 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 0f81f5f743b556f3584160de8fa7c24b31e8412b2997276a5d5f8756623570b0 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html f6cf6cff545c0e9b153c56a8ab91f92215e3f56ef85f6e6c0cc07e2d584a58f7 2
@@ -913,2 +913,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 037c0bbe4d8fc6ca798c6301a1950ed5850b82e18895f8ca1cf82190b51e978f 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 42af4f6d6516491940b1c1a42e83dfc33bd7ea13b3cad923de5b12905ece4cd2 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 9d37afef8116a83644b562f9afc34b7e596029a5353ddd521aeb5ec07ffae7a7 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html d94d23503c5b5d44fd81a4898f4651cc363d3cf5345f209415309c26df5f89e0 2
@@ -918,2 +918,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 966fdc582f05432ea01b8064f979766cf387f3aa536941f22ff7ecb66f1553c4 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html dbedbaa8ef9b228eba29c2f5bc3c5b5a6a078ea4d52da82899abf81922801fde 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html cfe5af30b7891a68d3605aa847ce510a0a4f422ac2f0c75d2196ad9c16efa64e 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html bc012fdbebe9d9ea391b213fc01da48a0f6207657f689e8cb518db2422f01945 2
@@ -924 +924 @@
-/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 76634bcfb1e02a96a87f0916ae7757b5acaebfabfb504a14c6e2d9fef7ff414e 2
+/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 643db60a0d3271a59de77bfc482b847ec6a84dc627f844200512f2527a5e98cb 2
@@ -929 +929 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html f76c0f5f04a4f6f9b0f651a53b88b7dcf21e30db34e173dff14e08142de4a1b8 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 68bd02099c50c71bed528a7c0c10730042696094c70576e82dca0d29ca5bbf99 2
@@ -931,2 +931,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 527b3ecbe4425c0a05ebfc0d5426d434b6bfc2095fc8c796745de730dbefb8f9 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 351f54e5d41e343b76b6bea2c1dbcb95e74875502dd3e2eabe0d6bee8af58023 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 6c0a15d2e5362f976a2f0a83142107b2a3ed1a736cb13c25458287614fdfc050 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html c948b5513895f300b4f1af714e3d830afcc4157a77333baf7f1323b0bf0ce6d4 2
@@ -937,3 +937,3 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 0cf2c2eea6706bdedc30155f7d75b9a49a0fb588e3c952e7beb417bb072a4653 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html b043eebe579622f153791ef5096ae39ff37f31d5ce6b3baae28ac5c6ce380c39 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html b0aa25cec0937340fbc80e5d40a39a648acbc5c41da793b8153e30ddbbdf2723 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html f2034423c84cb1259de42c549d00882a9612170d1c197ecced8c6b21db076893 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html c3840c2e88b939650da254f7016b040c7f073a795b6d06bcb9da3b9f5f3885ac 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html a17a4f16bcdc5445cc262097f8273038f44afc52cded9f875002f14062a1db60 2
@@ -949 +949 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 49c96ef1d88a753b69a87ac9e3bbb135af282584a15d8e148a6f3f1db8315c06 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html d37cd9cb11c23499c6beeac8720d786c025cff4e9b0ac0d168ba2d932091c984 2
@@ -951,2 +951,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 7b860feec6d37df0230341857603a5e45f8ff768324d5055087f89452ea1c7b8 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html eebbcc262a6b8dac147b793a845d0be03b77151e836a74a5888c5fb46d30f95d 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html df686ebef274d104fee6dcf104567c16382a138e2574c37f65229b00cde03de6 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html c9dbc15203fe4ebae28248046e4b7664a72c5a091ad36f4ae999c8e07a7fd4d8 2
@@ -956,2 +956,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 141c1dbc76ff11e626f9056b9a111634fb5d667fa61cde1f13d1f7aa53786b88 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html e8e304355e3d526121d4313f958893c20ddfd426badc8d8bbcc81cd3e72f0a5b 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2a3fcf76c4f1f8b768bf11b2281faabb36cd2def290fe1d6fdc120415f561c84 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 6cb5e69042d5eaf373239ff3609a8eb721b37161e00c012be259bd39ed555052 2
@@ -1303,2 +1303,2 @@
-/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 48ef64566e407983d104905b9382d3e102e03068d78a390f4da24e2e9f809480 0
-/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 83a03d70a80d36f4333ecd90c2bb94be0e070255e220ef0bd39c34b55da08c12 0
+/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 86501e7126b665d4565664b05d76818df0119bb593e5870aa1d68f0e1e1036c6 0
+/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 58c15163d1a42b76439d1d383e304694eaeea4fa4c50ee4d438e0a958a688dd7 0
@@ -1308,9 +1308,9 @@
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 8e20934831a1190de253203f4cdb5cf74ab56bb3795dad23385a638537508115 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml b93ac299dc251ce5a2a941cc24f8279e75ea846587920171ee964cad275807ad 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml c3008af66582efe9e7856f0619693a0acff3ee193ce59a5c325909949e981491 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 4413b8a4bf8aecb3b81d2e60414fafe3c7153bf4eb631449a7c3dfb8eb24ae93 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 0f85f9836687dfcf1de47f233ba3deee3a46e3bb1295d71910ee920f41d25912 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 28299d63f20c1a75ecfe666f118234e45220cf54d21c885654516d1def265a49 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml ca2acdd83d42c9d6fb19994a7ef62484fd08859b20e35a118d28da526067de0b 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 3c592a2cb3188db3861e5936bf43187a30f509775d42cf9fb76791aa2aabb5ce 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 90096b65410c7fcb193b95e454450bc437097c3dc56b0eb2335ae2c2e08f0a1b 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 299bb8a9dc8e2558e928d97ac15a64de1717fb6dd224f7ae2af07bba21bbe1b2 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml b06abadf2ae4c6102d3a5b5fdaa28e0e5859b34af9b57c70e3ee6f3567251821 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 336dd8d7d4bd9a29e4a5b85bbbaa4c05f81812c921b9e6932b5f94003b56b9e9 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml c7629eb08890448ee89a8ea990344549d470208017532229adcba3bb4f073a23 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 0f40b1cfd92c10c3a0fbae7a664be8030246a1c5f3eaeae30a2788f21494b6a8 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml df7a93816189d9cbb42a613d8ebaf50e48dc77b94e4eac02a99735704e78e30f 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 7ce56a1be187645e175f12ab2ac25600cd72787a80a076111ccd19af7784c34f 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml d0abf7787b4dc3cb8674dab2cd4f2abc6a0a1997ac403f92530a8e914e99c399 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 0f5366d4abe4dd0a0b4df5891d71c7123611468361a41c8d1ad8fa05bfe323dd 0
@@ -1319,3 +1319,3 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 1374f07f4cd0c17f002598decdc2f0fd7c065a8a2468e3fbe8c29940bd9e45e5 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 20d4e3745eddc2fb9b512a3823a94cbc638c00e7ac5288980cf904b52868af36 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 5bcd85a03a2b54ccf6243754ac5ade1cb9db3a5d08683c40bcc5cab0c14c2249 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml fb1dd437bb188ee1302c7a1848ad6eef74e6474f1d911a078de1594fa0fdc675 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml deac7056ad9038672f83be4b43da696247947d318f48e8fe694b0cb747b1250d 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 75d9d3f6da5c3bcedc87a95e10448577696e3f774f61b1b04feabfa08927a616 0
@@ -1323 +1323 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 20002dbd74a7a24f99764f040ea87526d85e934914008a7c7fbdbd7c12d867e2 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 3f65331c6a5d4697284d3990ff49bee9506dd9d9305613d053f8e52828b50521 0
@@ -1326,3 +1326,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 7e2eb0f28b1cdeba2240f6e9080dab5a424957442be5f10a75e3e053a3a7ccbe 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 8571be9d287c6150fa754f5511638f2ae51fc897d48a5ba5e72cf9e427431f77 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 9e430bdf1c8f41f4c3e5dfa7737ce0150817c86c3367f720e705e6b9637d6ac9 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 19d10badf70822d6145a31a889216e2c438814509387bf3b29f8e1f87bcd3804 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml f87f1fe2cd0582bdb1ff6cc2244b91190fef2f5f125b7317aeab19857b39603e 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml a0d58059bb11f2629eefb9dd6f5620aadc5c428cade0159319df2fa9a7094786 0
@@ -1330 +1330 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 5d619d6ee1ffe0e2d9fcebca12373fe60537b174929b636bd3c006f1d98d138e 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 67373b872f1577adb324cec1946ae009f5bc84cb8f8568f5391c50bd3ada4b58 0
@@ -1333,3 +1333,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 7fdb00b6e50bdebda6588b126a8d1a2a550c355624fa89a766634ca0d7bf6d06 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 67002c4ba0203ee24bb19e08bd3f1fa8ba1522f5585e3d156beb2f74a094f8d1 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 1d455779865904b9237a9059ac4f754ac66593a80bcbafe44958f3e846e72d5c 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 9cfc075ac30b6a2b5b20acf00aa11ac939d6e149f15500fb3545e8a672474d23 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml bcac5bf5d66b8f892ea7afa2eaabc95cfdb3c080d2de496b3f76e4f1cb711134 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 99ba4159bd20dc8666c1747054bb5b241153c4ee7296dfd8d6bb055904ccc636 0
@@ -1337 +1337 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml bfd05ea842f1d6301fdbf9ff58641c10297fcdacb37ba7d58015cac53ac27f8b 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 65038811915ee0cca0e32dd29b85c9ec6b47b3e9ff34c302057b14f66f75a9a3 0
@@ -1340,3 +1340,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml ab6fc2d1a99937ac1f31432e3ff69f2fe83d62cc3cff464e86edf5f1942d9ea5 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml c801cce160c857c39ff6c27ff5a9c38dfc4637308b22da2d9e4bd1f5c617c7d9 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 928530fe00ffc8d4ea02f2ffa15c06ecd1121859440ff7af5172bb16ba690b91 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 773900580eefc53539700730b16fc776df0dd05194353097d28712c5e046042e 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 6c905d5a62b215b80674d2346a33e01a775a59168b74731ff8f43fa609c5f4a1 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml cbc78dd4f1fb3dd45c7eb63be5583644468cb2601df19c2fea64a54ce406a89b 0
@@ -1344 +1344 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 9f691c2071cc02ae8ff4f32148bd3e8ef99a6ec44cdd696adbb9ae01a3780e42 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 9e263766fa7ef0c44b3964a3cd0aea0fc292cd2f1a53ddbb5d59e35f2056c4d3 0
@@ -1347,3 +1347,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 9866ed4e8ed7b26e3c9bd0d4b6fba1d1a0b0bba249b21ee5d8835613a2273ee1 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml e27b447e7610216823fa67a8f44ad0a69120fad8fc9e0521b6ab13235c586b0c 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml b24863844ec7859b66ea0136a0213d11330a564b7e81a4d7630b37f008cafddb 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml a48e9fda58d4bad5e9e711fc1046662b7a1f0d4801bfc3b4bde7cf31e40c727c 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 462849af0194683d83def0c1815d967310f1ddf376542305f13ca005da8da15e 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml f63e7a9563207fad26d57528720fa6d4f105922a2940c2087898fbe53aed1f55 0
@@ -1351 +1351 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 5920a36afbedad09c4b0909f36eaad3efd91b1e954c42fc6f2303823951dac72 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 6b6d227a75f2561fe51aae7cbef13f092290d8e095bde8000077f2914ce9260f 0
@@ -1354,3 +1354,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 5ee34beb23d2c6953ceebcf013b73cdc1cf073496746f3dc71b01f5c452704fc 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 706f0983883c8ad7036b47fa3258d0945a74abe7851190b7508a7d60f06c7e77 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 261d1dead611d2e6c83e8cec7d3df3fc5042442675edaf4701bbf13ee153e502 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml a6ebfe4ca785ae010537fe03fc14264ffca57cf60fc73ce3165157b0737477f2 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml db1c2095c82ad96e2c01380ec6bfa85cf99e325964c0274bd6ecd885cdbc2aff 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 5bfcf2cf810982decacd3abe545da378fa45be7ad4f9ccc805f93f9e97d5daca 0
@@ -1358 +1358 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 3a2f3c1b3fc111487be2b19803cc518cf32e0da34e05190ee4118a336943ca88 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 9a33d44597c3338e90404374532fb5f59cd677915aa6373fc05fd9467fe6dcc8 0
@@ -1361,3 +1361,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 1dadfc094da43cea43901e46a0d28b3a68ef9428c36ebf1bf4ee592f69c0651d 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2b88a8bcf0617019fbc1bf702258a0b5de628b425e3985e4ac3a74cc654a3af2 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 75a9192abe177b63dd5bc09b1827d722d97d398ee846feb039d89081689563d2 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 4eb48c6f26d3f11079fa7c8d292925a29d6947b89bdad9a026626797434d4c94 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 89737cbd52f10da5f2a1751cddbe6ac4eafc3f34477acc60fdea59eff6a4bf0f 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml fe1205ae15800c899a84cce25e69fb83757e1e50439beac8ccfc6eb7cc508168 0
@@ -1365 +1365 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 224bb24d29c5e1f3845d36c6e68effb091c8f121a2a8879e79ca572bfdca46f2 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml f84729d2301a26d83dc52216cfa2a948f7ff06f94448c7db11c6afc4a7c61875 0
@@ -1368,3 +1368,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 54e8b078ef529d61e6f14c21f24b6c899a9a08150bf0040ae69e16b53c471958 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 5159f9bdc8efb7a267566272b1604148713ceb2ba30a4316330a0fb7bcd49798 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml eeeb19d1b9224670a844d9ea8eaa5e00517c6ec17dd92d8922bc18f18523d3b7 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml e8d44d821e78ee922987be9321cf2cfb13a46d9dd761672db860734e1c4eb817 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 224d99552f59e8288c2eed86dff69f252d687eec3be95d876f3959dea8555820 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 7df535961198643f34d5dc185caa63d174d84ed009d31aa660436a59c26e8994 0
@@ -1372 +1372 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 8154946f41a1ece20df9473bd5bca561026893170b4a080555f32ccb09c1b99a 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 00443f83b6b9b6b546888c1e0cf5ac9fb58bb5d5180480b2013573cbe317f88d 0
@@ -1375,3 +1375,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml b7a928f68e495be60a2a27a9aac3193746d69937c50dda3183d4b2658db3298e 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 295d70e73f162330b93b67a5170758719c24b2451c2bfc872369c533fca240fb 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 082d9713726530b742bac8893bce180627fbf47c52c5128df82d978ca2690337 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 0756fd55d01dd5fa02c5e28a7abd47960899a1b27aa170f32abecf464ca99158 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 9a13a5e4b36936c56052fc6713d588fbb304cbe1ea89ba7ee84f34faece63be6 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 3c1d6e9c0601a014342478040b564b8f9f3beb6e52bc1c03121a8162f753a30f 0
@@ -1379,4 +1379,4 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml a3a8019285ffd8d24a5db66f5444ad35a910137929303d6e6e94ba4abcd93041 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 02eb787ee75a3e9be374f9635d27e07b63b0719086843a260f6626d2fc2d5dd5 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 93a76a5e4ec46e78fffd3832439406d71923fcb92c459b22a84345a17fd65172 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml f2c9a96f6f8f484457655930ba8170e9709a6c86f612f3367a3abf69cc8056a6 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 54fef477cf573b5e667d5357da0434ab53b2fc14f53826875ae2805c1f3bdebc 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 7d51284535aaf6ab799bab7de1223527f07b9a2d6cc230551a10ce5fcf67eb9e 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 98b4fca592b338ce954c92b9a8d78514d703c4260b81ff97b3806d9ec81bc1e4 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 4a3b71f982b6e7ad191ae8ef459cf2b589b1658a87f526d6075de2a6576c8a0a 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-12-05 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,7 +327,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -504,7 +504,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | Group
@@ -143,7 +143,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,7 +329,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -523,7 +523,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r861004_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -631,7 +631,34 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 171 rules | | Group
@@ -124,7 +124,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -449,7 +449,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -495,20 +495,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 184 rules | | Group
@@ -124,7 +124,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -287,7 +287,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -419,7 +419,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SV-230263r858725_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 57 groups and 160 rules | | Group
@@ -124,7 +124,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -449,7 +449,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -495,20 +495,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 27 groups and 43 rules | Group
@@ -111,7 +111,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-230272r854027_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -174,7 +174,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-230271r854026_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -242,7 +242,22 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,24 +279,7 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 101 groups and 309 rules | | Group
@@ -123,7 +123,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,7 +441,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 90 groups and 242 rules | | Group
@@ -123,7 +123,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,7 +441,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 86 groups and 239 rules | | Group
@@ -123,7 +123,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,7 +441,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 97 groups and 306 rules | | Group
@@ -123,7 +123,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,7 +441,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 105 rules | Group
@@ -145,7 +145,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -325,7 +325,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -499,7 +499,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | | Group
@@ -134,7 +134,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -209,7 +209,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -297,7 +297,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -434,7 +434,22 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | Group
@@ -147,7 +147,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -322,7 +322,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -441,7 +441,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -584,7 +584,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | Group
@@ -150,7 +150,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -330,7 +330,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -473,7 +473,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | Group
@@ -151,7 +151,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -326,7 +326,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -445,7 +445,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | | Group
@@ -125,7 +125,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -200,7 +200,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -288,7 +288,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -425,7 +425,22 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 125 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -321,7 +321,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,7 +495,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 71 rules | | Group
@@ -121,7 +121,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -201,7 +201,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -293,7 +293,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r809334_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -433,7 +433,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-230264r854016_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 29 groups and 57 rules | Group
@@ -143,7 +143,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -323,7 +323,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -491,7 +491,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 106 groups and 389 rules | | Group
@@ -129,7 +129,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,81 +189,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r833333_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 386 rules | | Group
@@ -135,7 +135,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r854081_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -195,81 +195,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r833333_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 162 rules | | Group
@@ -124,7 +124,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -409,7 +409,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -454,20 +454,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 175 rules | | Group
@@ -124,7 +124,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -677,7 +677,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 57 groups and 151 rules | | Group
@@ -124,7 +124,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -409,7 +409,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -454,20 +454,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 27 groups and 43 rules | Group
@@ -111,7 +111,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -236,7 +236,22 @@
$ sudo dnf install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -355,7 +355,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 101 groups and 301 rules | | Group
@@ -120,7 +120,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,7 +179,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,7 +437,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 90 groups and 234 rules | | Group
@@ -120,7 +120,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,7 +179,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,7 +437,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 86 groups and 231 rules | | Group
@@ -120,7 +120,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,7 +179,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,7 +437,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 97 groups and 298 rules | | Group
@@ -120,7 +120,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,7 +179,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,7 +437,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -147,7 +147,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -280,7 +280,22 @@
$ sudo dnf install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -334,7 +334,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -425,7 +425,34 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 48 groups and 98 rules | Group
@@ -147,7 +147,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -322,7 +322,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -441,7 +441,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -584,7 +584,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | Group
@@ -150,7 +150,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -330,7 +330,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -473,7 +473,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 71 groups and 148 rules | Group
@@ -151,7 +151,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -326,7 +326,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -445,7 +445,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -137,7 +137,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -270,7 +270,22 @@
$ sudo dnf install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -324,7 +324,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -415,7 +415,34 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -321,7 +321,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -494,7 +494,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 116 groups and 497 rules | | Group
@@ -130,7 +130,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,77 +189,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 114 groups and 492 rules | | Group
@@ -136,7 +136,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -195,77 +195,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:35
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Mail Server Software
- Network Time Protocol
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 62 groups and 206 rules | Group
@@ -139,7 +139,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -324,7 +324,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -501,7 +501,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:35
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 47 groups and 121 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -485,7 +485,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:35
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 39 groups and 76 rules | Group
@@ -133,7 +133,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -313,7 +313,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -443,7 +443,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -590,7 +590,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 61 groups and 161 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,7 +400,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -445,7 +445,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 61 groups and 175 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -278,7 +278,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r603260_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -415,7 +415,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020040, SV-221709r603260_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 57 groups and 151 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,7 +400,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -445,7 +445,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 27 groups and 38 rules | Group
@@ -102,7 +102,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r603260_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r833019_rule | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r833019_rule | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -246,7 +246,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020060, SV-221711r603260_rule | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-12-05 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 47 groups and 102 rules | Group
@@ -136,7 +136,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -322,7 +322,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -499,7 +499,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | | Group
@@ -141,7 +141,17 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -212,7 +212,72 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r603260_rule | | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -718,7 +718,39 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-12-05 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 46 groups and 93 rules | Group
@@ -138,7 +138,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -319,7 +319,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -441,7 +441,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -565,7 +565,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r603260_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-12-05 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 54 groups and 142 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,7 +327,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -521,7 +521,69 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
+ Require Encryption for Remote Access in GNOME3
+ [ref] | By default, GNOME requires encryption when using Vino for remote access.
+To prevent remote access encryption from being disabled, add or set
+ require-encryption to true in
+ /etc/dconf/db/local.d/00-security-settings. For example:
+ [org/gnome/Vino]
+require-encryption=true
+
+Once the settings have been added, add a lock to
+ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+ /org/gnome/Vino/require-encryption
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 2022-12-05 00:00:00.000000000 +0000
@@ -91,7 +91,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 104 groups and 382 rules | Group
@@ -158,7 +158,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -344,7 +344,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -521,7 +521,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | | Group
@@ -132,7 +132,17 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -203,7 +203,72 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r603260_rule | | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -709,7 +709,39 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 48 groups and 99 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -318,7 +318,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,7 +495,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 10 groups and 9 rules | | Group
@@ -94,7 +94,22 @@
$ sudo yum install glibc | | Rationale: | The glibc package contains standard C and math libraries used by
multiple programs on Linux. The glibc shipped with first release
of each major Linux version is often not sufficient for SAP.
-An update is required after the first OS installation. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | | Identifiers and References | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | | Identifiers and References | | |
| Rule
Package uuidd Installed
[ref] | The package uuidd is not installed on normal Linux distribution
@@ -134,7 +134,22 @@
$ sudo yum install uuidd | | Rationale: | The uuidd package contains a userspace daemon (uuidd) which is
used to generate unique identifiers even at very high rates on
-SMP systems. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | | Identifiers and References | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | | Identifiers and References | | |
| Rule
Only sidadm and orasid/oracle User Accounts Exist on Operating System
[ref] | SAP tends to use the server or virtual machine exclusively. There should be only
@@ -318,7 +318,12 @@
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow | | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| | Group
Services
Group contains 3 groups and 5 rules | [ref]
@@ -402,20 +402,14 @@
NIS maps. NIS generally has been replaced by such protocols as Lightweight
Directory Access Protocol (LDAP). It is recommended that the service be
removed. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_package_ypbind_removed | | Identifiers and References | References:
- BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
Uninstall ypserv Package
[ref] | The ypserv package can be removed with the following command:
@@ -444,7 +444,26 @@
Removing the ypserv package decreases the risk of the accidental
(or intentional) activation of NIS or NIS+ services. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_package_ypserv_removed | | Identifiers and References | References:
- BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.4, SRG-OS-000095-GPOS-00049, OL07-00-020010, SV-221705r603260_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 28 groups and 72 rules | Group
@@ -134,7 +134,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -320,7 +320,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -506,7 +506,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule | | |
| Rule
Ensure Oracle Linux GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software
@@ -665,7 +665,10 @@
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | | Identifiers and References | References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, OL07-00-020260, SV-221720r603260_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 102 groups and 270 rules | Group
@@ -133,7 +133,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -314,7 +314,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -436,7 +436,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 100 groups and 269 rules | Group
@@ -139,7 +139,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -320,7 +320,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -442,7 +442,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 61 groups and 169 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,7 +400,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -445,7 +445,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 61 groups and 183 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -278,7 +278,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -410,7 +410,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL08-00-010360, SV-248573r779285_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 57 groups and 159 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,7 +400,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -445,7 +445,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 27 groups and 43 rules | Group
@@ -102,7 +102,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010381, SV-248582r779312_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r833208_rule | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r833208_rule | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -231,7 +231,22 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -268,24 +268,7 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 49 groups and 105 rules | Group
@@ -136,7 +136,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -316,7 +316,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -490,7 +490,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 205 rules | | Group
@@ -125,7 +125,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -200,7 +200,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -288,7 +288,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -425,7 +425,22 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 48 groups and 95 rules | Group
@@ -138,7 +138,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -313,7 +313,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -432,7 +432,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -575,7 +575,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 54 groups and 140 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -321,7 +321,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -464,7 +464,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -536,7 +536,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093, OL08-00-010287, SV-248560r818614_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -648,7 +648,69 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 205 rules | | Group
@@ -116,7 +116,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -191,7 +191,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -279,7 +279,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -416,7 +416,22 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 50 groups and 125 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -486,7 +486,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 29 groups and 78 rules | Group
@@ -134,7 +134,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -314,7 +314,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -482,7 +482,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -554,7 +554,10 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -586,7 +586,18 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, SRG-OS-000033-GPOS-00014, OL08-00-010020, SV-248524r818787_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 106 groups and 402 rules | | Group
@@ -110,7 +110,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -170,81 +170,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r833241_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 104 groups and 400 rules | | Group
@@ -116,7 +116,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -176,81 +176,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r833241_rule | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 159 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -372,7 +372,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -417,20 +417,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 171 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -277,7 +277,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -640,7 +640,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 56 groups and 148 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -372,7 +372,28 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -417,20 +417,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 26 groups and 41 rules | Group
@@ -102,7 +102,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -227,7 +227,22 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -346,7 +346,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 184 rules | | Group
@@ -125,7 +125,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -199,7 +199,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -332,7 +332,22 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -411,7 +411,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 45 groups and 96 rules | Group
@@ -138,7 +138,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -313,7 +313,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -432,7 +432,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -575,7 +575,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 52 groups and 135 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -321,7 +321,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -464,7 +464,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -534,7 +534,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -645,7 +645,69 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 184 rules | | Group
@@ -115,7 +115,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -189,7 +189,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -322,7 +322,22 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -401,7 +401,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 49 groups and 123 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -485,7 +485,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 29 groups and 78 rules | Group
@@ -134,7 +134,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -314,7 +314,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -482,7 +482,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -552,7 +552,10 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -583,7 +583,18 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, SRG-OS-000033-GPOS-00014 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 105 groups and 358 rules | | Group
@@ -111,7 +111,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -170,7 +170,68 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 103 groups and 357 rules | | Group
@@ -117,7 +117,28 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -176,7 +176,68 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 43 groups and 90 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-12-05 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 43 groups and 94 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-12-05 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 40 groups and 82 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-12-05 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- Services
- Mail Server Software
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 10 groups and 7 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-12-05 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- File Permissions and Masks
- SELinux
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 23 groups and 51 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-12-05 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 242 rules | | Group
@@ -572,7 +572,8 @@
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled | | Identifiers and References | Identifiers:
CCE-82496-1 References:
- 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify that Interactive Boot is Disabled
[ref] | Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
@@ -6664,7 +6664,7 @@
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled | | Identifiers and References | References:
- 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_autofs_disabled | | Identifiers and References | Identifiers:
CCE-82663-6 References:
- 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | |
| Rule
Disable Booting from USB Devices in Boot Firmware
[ref] | Configure the system boot firmware (historically called BIOS on PC
@@ -7268,7 +7268,7 @@
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled | | Identifiers and References | Identifiers:
CCE-82530-7 References:
- CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 | | | | Rationale: | | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_service_sshd_disabled | | Identifiers and References | References:
- CM-3(6), IA-2(4) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | | Group
@@ -572,7 +572,8 @@
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled | | Identifiers and References | Identifiers:
CCE-82496-1 References:
- 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify that Interactive Boot is Disabled
[ref] | Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
@@ -6664,7 +6664,7 @@
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled | | Identifiers and References | References:
- 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_autofs_disabled | | Identifiers and References | Identifiers:
CCE-82663-6 References:
- 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | |
| Rule
Disable Booting from USB Devices in Boot Firmware
[ref] | Configure the system boot firmware (historically called BIOS on PC
@@ -7268,7 +7268,7 @@
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled | | Identifiers and References | Identifiers:
CCE-82530-7 References:
- CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | | Group
@@ -561,7 +561,8 @@
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled | | Identifiers and References | Identifiers:
CCE-82496-1 References:
- 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify that Interactive Boot is Disabled
[ref] | Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
@@ -6653,7 +6653,7 @@
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_bluetooth_disabled | | Identifiers and References | References:
- 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_autofs_disabled | | Identifiers and References | Identifiers:
CCE-82663-6 References:
- 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 | | |
| Rule
Disable Booting from USB Devices in Boot Firmware
[ref] | Configure the system boot firmware (historically called BIOS on PC
@@ -7257,7 +7257,7 @@
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled | | Identifiers and References | Identifiers:
CCE-82530-7 References:
- CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Base Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 234 rules | Group
@@ -120,7 +120,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -183,7 +183,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r853887_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -317,7 +317,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-27078-5 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.5.4 | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -554,7 +554,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r861004_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 61 groups and 165 rules | Group
@@ -116,7 +116,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -458,7 +458,28 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82213-0 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -506,21 +506,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83819-3 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 61 groups and 179 rules | Group
@@ -116,7 +116,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r853887_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -429,7 +429,35 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-80374-2 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020040, SV-204446r853888_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 57 groups and 155 rules | Group
@@ -116,7 +116,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -458,7 +458,28 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82213-0 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -506,21 +506,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83819-3 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 27 groups and 38 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r853885_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -167,7 +167,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-80351-0 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010340, SV-204429r861003_rule | | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -253,7 +253,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r861004_rule | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | Identifiers:
+ CCE-80347-8 References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020060, SV-204448r861005_rule | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-12-05 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 106 groups and 300 rules | Group
@@ -115,7 +115,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r853887_rule | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -569,7 +569,69 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 95 groups and 237 rules | Group
@@ -115,7 +115,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r853887_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -489,7 +489,69 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 89 groups and 232 rules | Group
@@ -115,7 +115,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r853887_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -489,7 +489,69 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 104 groups and 298 rules | Group
@@ -115,7 +115,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r853887_rule | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -569,7 +569,69 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 102 rules | | Group
@@ -137,7 +137,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -330,7 +330,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -451,7 +451,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -513,7 +513,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -142,7 +142,17 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | Identifiers:
CCE-80358-5 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -215,7 +215,72 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r863227_rule | | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -738,7 +738,40 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-12-05 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 46 groups and 94 rules | | Group
@@ -139,7 +139,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -327,7 +327,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -453,7 +453,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -581,7 +581,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r853885_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 54 groups and 142 rules | | Group
@@ -142,7 +142,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -335,7 +335,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -534,7 +534,69 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-80120-9 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
+ Require Encryption for Remote Access in GNOME3
+ [ref] | By default, GNOME requires encryption when using Vino for remote access.
+To prevent remote access encryption from being disabled, add or set
+ require-encryption to true in
+ /etc/dconf/db/local.d/00-security-settings. For example:
+ [org/gnome/Vino]
+require-encryption=true
+
+Once the settings have been added, add a lock to
+ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+ /org/gnome/Vino/require-encryption
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2022-12-05 00:00:00.000000000 +0000
@@ -92,7 +92,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 105 groups and 385 rules | | Group
@@ -160,7 +160,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -353,7 +353,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -474,7 +474,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -536,7 +536,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -133,7 +133,17 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | Identifiers:
CCE-80358-5 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -206,7 +206,72 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r863227_rule | | |
| | Group
Updating Software
Group contains 4 rules | [ref]
@@ -729,7 +729,40 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -326,7 +326,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -447,7 +447,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -509,7 +509,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 377 rules | | Group
@@ -135,7 +135,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -323,7 +323,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -449,7 +449,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -570,7 +570,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 48 groups and 142 rules | | Group
@@ -158,7 +158,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -346,7 +346,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -472,7 +472,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -630,7 +630,72 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r863227_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 38 groups and 68 rules | Group
@@ -113,7 +113,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -275,7 +275,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r861004_rule | | |
| Rule
Ensure gpgcheck Enabled for All yum Package Repositories
[ref] | To ensure signature checking is not disabled for
@@ -374,7 +374,9 @@
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled | | Identifiers and References | Identifiers:
CCE-26876-3 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -456,7 +456,34 @@
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | Identifiers:
CCE-26957-1 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | | Group
@@ -135,7 +135,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -328,7 +328,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -528,7 +528,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r861004_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -639,7 +639,34 @@
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | Identifiers:
CCE-26957-1 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 102 groups and 267 rules | | Group
@@ -144,7 +144,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -332,7 +332,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -458,7 +458,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | [ref]
@@ -579,7 +579,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 266 rules | | Group
@@ -150,7 +150,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -338,7 +338,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -464,7 +464,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | [ref]
@@ -585,7 +585,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r861078_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 171 rules | Group
@@ -116,7 +116,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -458,7 +458,28 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82214-8 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -506,21 +506,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83820-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 184 rules | Group
@@ -116,7 +116,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -424,7 +424,35 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-82891-3 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r858725_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 57 groups and 160 rules | Group
@@ -116,7 +116,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -458,7 +458,28 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82214-8 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -506,21 +506,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83820-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 27 groups and 43 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-82202-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010381, SV-230272r854027_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -169,7 +169,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-82197-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010380, SV-230271r854026_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -240,7 +240,22 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-82985-3 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-82494-6 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
- CCE-82267-6 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 101 groups and 309 rules | Group
@@ -115,7 +115,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,7 +446,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 90 groups and 242 rules | Group
@@ -115,7 +115,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,7 +446,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 86 groups and 239 rules | Group
@@ -115,7 +115,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,7 +446,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 97 groups and 306 rules | Group
@@ -115,7 +115,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,7 +446,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 105 rules | | Group
@@ -137,7 +137,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -324,7 +324,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -442,7 +442,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -504,7 +504,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -126,7 +126,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -203,7 +203,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -295,7 +295,33 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -437,7 +437,22 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-82723-8 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | | Group
@@ -139,7 +139,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -321,7 +321,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -444,7 +444,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -591,7 +591,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | | Group
@@ -142,7 +142,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,7 +329,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -476,7 +476,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | | Group
@@ -143,7 +143,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -325,7 +325,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -448,7 +448,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -566,7 +566,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -117,7 +117,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -194,7 +194,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -286,7 +286,33 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -428,7 +428,22 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-82723-8 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 125 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -320,7 +320,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -438,7 +438,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -500,7 +500,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 71 rules | Group
@@ -113,7 +113,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -195,7 +195,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -290,7 +290,11 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r809334_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -436,7 +436,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-80790-9 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-08-010370, 1.2.3, SV-230264r854016_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 29 groups and 57 rules | | Group
@@ -135,7 +135,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -322,7 +322,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -495,7 +495,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 106 groups and 389 rules | Group
@@ -121,7 +121,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,7 +183,82 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r833333_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 386 rules | Group
@@ -127,7 +127,28 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r854081_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,7 +189,82 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r833333_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 162 rules | Group
@@ -116,7 +116,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -415,7 +415,28 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -462,21 +462,7 @@
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | Identifiers:
CCE-83537-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 175 rules | Group
@@ -116,7 +116,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -692,7 +692,28 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 57 groups and 151 rules | Group
@@ -116,7 +116,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -415,7 +415,28 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -462,21 +462,7 @@
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | Identifiers:
CCE-83537-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 27 groups and 43 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-83544-7 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-83536-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -234,7 +234,22 @@
$ sudo dnf install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-83454-9 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -357,7 +357,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-83457-2 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,7 +442,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 90 groups and 234 rules | Group
@@ -112,7 +112,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,7 +442,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 86 groups and 231 rules | Group
@@ -112,7 +112,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,7 +442,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 97 groups and 298 rules | Group
@@ -112,7 +112,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,7 +442,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -139,7 +139,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -277,7 +277,22 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-83442-4 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -333,7 +333,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -427,7 +427,34 @@
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-83452-3 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 48 groups and 98 rules | | Group
@@ -139,7 +139,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -321,7 +321,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -444,7 +444,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -591,7 +591,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | | Group
@@ -142,7 +142,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,7 +329,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -476,7 +476,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 71 groups and 148 rules | | Group
@@ -143,7 +143,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -325,7 +325,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -448,7 +448,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -566,7 +566,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -129,7 +129,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -267,7 +267,22 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-83442-4 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -323,7 +323,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -417,7 +417,34 @@
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-83452-3 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -320,7 +320,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -438,7 +438,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -499,7 +499,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 116 groups and 497 rules | Group
@@ -122,7 +122,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,81 +183,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 114 groups and 492 rules | Group
@@ -128,7 +128,28 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,81 +189,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 45 groups and 116 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -485,7 +485,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 101 groups and 375 rules | Group
@@ -133,7 +133,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -308,7 +308,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -427,7 +427,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 49 groups and 144 rules | Group
@@ -157,7 +157,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -332,7 +332,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -451,7 +451,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -674,7 +674,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,7 +327,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r861078_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -504,7 +504,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | Group
@@ -143,7 +143,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,7 +329,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r853878_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -523,7 +523,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r861004_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -631,7 +631,34 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Remediation Shell script ⇲# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
+readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
| BP28(R1) |
+ Remove telnet Clients |
+
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 7.
+ |
+
+
+ | BP28(R1) |
Uninstall Sendmail Package |
Sendmail is not the default mail transfer agent and is
@@ -61,24 +75,6 @@
|
| BP28(R1) |
- Uninstall talk Package |
-
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
- |
-
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
- |
-
-
- | BP28(R1) |
Uninstall talk-server Package |
The talk-server package can be removed with the following command: $ sudo yum erase talk-server
@@ -108,34 +104,19 @@
|
| BP28(R1) |
- Uninstall tftp-server Package |
-
- The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
- |
-
- Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
- |
-
-
- | BP28(R1) |
- Uninstall DHCP Server Package |
+ Uninstall rsh-server Package |
- If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp package can be removed with the following command:
+ The rsh-server package can be removed with the following command:
-$ sudo yum erase dhcp
+$ sudo yum erase rsh-server
|
- Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
+ The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
+could be compromised. The rsh-server package provides several obsolete and insecure
+network services. Removing it decreases the risk of those services' accidental (or intentional)
+activation.
|
@@ -156,18 +137,6 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
-
- The telnet daemon should be uninstalled.
- |
-
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
- |
-
-
| BP28(R1) |
Remove tftp Daemon |
@@ -184,19 +153,84 @@
|
| BP28(R1) |
- Uninstall rsh-server Package |
+ Uninstall rsh Package |
- The rsh-server package can be removed with the following command:
+
+The rsh package contains the client commands
+
+for the rsh services
+ |
+
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
+ |
+
+
+ | BP28(R1) |
+ Uninstall DHCP Server Package |
+
+ If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase dhcp
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
+ |
+
+
+ | BP28(R1) |
+ Uninstall talk Package |
+
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
+ |
+
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
+ |
+
+
+ | BP28(R1) |
+ Uninstall tftp-server Package |
+
+ The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ |
+
+ Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
+ |
+
+
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
+
+ The telnet daemon should be uninstalled.
+ |
+
+ telnet allows clear text communications, and does not protect
/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,15 +65,77 @@
|
+ 3.1.1
3.1.5 |
+ Prevent Login to Accounts With Empty Password |
+
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ |
+
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Virtual Console Root Logins |
+
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ |
+
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
+
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
+ |
+
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ |
+
+
3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -82,20 +144,18 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
@@ -121,14 +181,14 @@
3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -137,23 +197,20 @@
|
- 3.1.1
3.1.5 |
- Prevent Login to Accounts With Empty Password |
+ 3.1.1 |
+ Disable GDM Guest Login |
- If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-nullok in
-
-/etc/pam.d/system-auth and
-/etc/pam.d/password-auth
-
-to prevent logins with empty passwords.
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
|
- If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
|
@@ -200,63 +257,6 @@
- 3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
- To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
- Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
-
- To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -44,186 +44,141 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE |
- At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system should collect detailed unauthorized file accesses for
+all users and root. The open syscall can be used to modify files
+if called for write operation of with O_TRUNC_WRITE flag.
+The following auidt rules will asure that unsuccessful attempts to modify a
+file via open syscall are collected.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- |
-
- Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
- |
-
-
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on Kernel Module Loading and Unloading |
-
- To capture kernel module loading and unloading events, use following lines, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
--a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-The place to add the lines depends on a way auditd daemon is configured. If it is configured
-to use the augenrules program (the default), add the lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl utility,
-add the lines to file /etc/audit/audit.rules.
|
- The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Attempts to Alter Time Through clock_settime |
+ Record Access Events to Audit Log Directory |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+ The audit system should collect access events to read audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport.
-Multiple system calls can be defined on the same line to save space if
-desired, but is not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+utility to read audit rules during daemon startup, add the rule to
+/etc/audit/audit.rules file.
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - removexattr |
+ Record Unsuccessful Permission Changes to Files - fsetxattr |
- At a minimum, the audit system should collect file permission
-changes for all users and root.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-following line to a file with suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
+ The audit system should collect unsuccessful file permission change
+attempts for all users and root.
+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines:
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on Exporting to Media (successful) |
- At a minimum, the audit system should collect file permission
-changes for all users and root.
-
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
+ At a minimum, the audit system should collect media exportation
+events for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -79,37 +79,51 @@
|
| FAU_GEN.1 |
- Set number of records to cause an explicit flush to audit logs |
+ Enable auditd Service |
- To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set freq to 50
-in /etc/audit/auditd.conf.
+ The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
|
- If option freq isn't set to , the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.
+ Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
|
| FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Include Local Events in Audit Logs |
- To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
|
- Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+ If option local_events isn't set to yes only events from
+network will be aggregated.
+ |
+
+
+ | FAU_GEN.1 |
+ Set number of records to cause an explicit flush to audit logs |
+
+ To configure Audit daemon to issue an explicit flush to disk command
+after writing 50 records, set freq to 50
+in /etc/audit/auditd.conf.
+ |
+
+ If option freq isn't set to , the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
|
@@ -135,148 +149,183 @@
| FAU_GEN.1 |
- Include Local Events in Audit Logs |
+ Ensure the audit Subsystem is Installed |
- To configure Audit daemon to include local events in Audit logs, set
-local_events to yes in /etc/audit/auditd.conf.
-This is the default setting.
+ The audit package should be installed.
|
- If option local_events isn't set to yes only events from
-network will be aggregated.
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
|
| FAU_GEN.1 |
- Enable auditd Service |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+ Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
- | FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ FAU_GEN.1.1.c |
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE |
- The audit package should be installed.
+ The audit system should collect detailed unauthorized file accesses for
+all users and root. The open syscall can be used to modify files
+if called for write operation of with O_TRUNC_WRITE flag.
+The following auidt rules will asure that unsuccessful attempts to modify a
+file via open syscall are collected.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
|
- The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
| FAU_GEN.1.1.c |
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow |
+ Record Access Events to Audit Log Directory |
- The audit system should collect write events to /etc/shadow file for all users and root.
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+ The audit system should collect access events to read audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the rule to
+/etc/audit/audit.rules file.
+ |
+
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'
+ |
+
+
+ | FAU_GEN.1.1.c |
+ Record Attempts to Alter Logon and Logout Events - faillock |
+
+ The audit system already collects login information for all users
+and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -99,16 +99,18 @@
|
| Req-1.4.1 |
- Install iptables Package |
+ Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
- The iptables package can be installed with the following command:
-
-$ sudo yum install iptables
+ To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
|
- iptables controls the Linux kernel network packet filtering
-code. iptables allows system operators to set up firewalls and IP
-masquerading, etc.
+ A TCP SYN flood attack can cause a denial of service by filling a
+system's TCP connection table with connections in the SYN_RCVD state.
+Syncookies can be used to track a connection when a subsequent ACK is received,
+verifying the initiator is attempting a valid connection and is not a flood
+source. This feature is activated when a flood condition is detected, and
+enables the system to continue servicing valid connection requests.
|
@@ -129,22 +131,6 @@
| Req-1.4.1 |
- Set configuration for IPv6 loopback traffic |
-
- Configure the loopback interface to accept traffic.
-Configure all other interfaces to deny traffic to the loopback
-network.
- |
-
- Loopback traffic is generated between processes on machine and is
-typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen,
-all other interfaces should ignore traffic on this network as an
-anti-spoofing measure.
- |
-
-
- | Req-1.4.1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
@@ -165,18 +151,32 @@
|
| Req-1.4.1 |
- Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
+ Install iptables Package |
- To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
+ The iptables package can be installed with the following command:
+
+$ sudo yum install iptables
|
- A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.
+ iptables controls the Linux kernel network packet filtering
+code. iptables allows system operators to set up firewalls and IP
+masquerading, etc.
+ |
+
+
+ | Req-1.4.1 |
+ Set configuration for IPv6 loopback traffic |
+
+ Configure the loopback interface to accept traffic.
+Configure all other interfaces to deny traffic to the loopback
+network.
+ |
+
+ Loopback traffic is generated between processes on machine and is
+typically critical to operation of the system. The loopback interface
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
+anti-spoofing measure.
|
@@ -224,22 +224,6 @@
| Req-1.4.3 |
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
- |
-
- ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
- |
-
-
- | Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -255,27 +239,18 @@
|
| Req-1.4.3 |
- Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
- |
-
- Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
- |
-
-
- | Req-1.4.3 |
- Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
+ Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
- To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
|
- Accepting "secure" ICMP redirects (from those gateways listed as
-default gateways) has few legitimate uses. It should be disabled unless it is
-absolutely required.
+ ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
|
@@ -298,6 +273,19 @@
| Req-1.4.3 |
+ Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
+ |
+
+ Accepting "secure" ICMP redirects (from those gateways listed as
+default gateways) has few legitimate uses. It should be disabled unless it is
+absolutely required.
+ |
+
+
+ | Req-1.4.3 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
@@ -312,6 +300,32 @@
|
+ | Req-1.4.3 |
+ Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
+ |
+
+ Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
+ |
+
+
+ | Req-2.2.1 |
+ Enable NX or XD Support in the BIOS |
+
+ Reboot the system and enter the BIOS or Setup configuration menu.
+Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
+under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
+on AMD-based systems.
+ |
+
+ Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
+allow users to turn the feature on or off at will.
/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
|
| BP28(R1) |
+ Remove telnet Clients |
+
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 8.
+ |
+
+
+ | BP28(R1) |
Uninstall Sendmail Package |
Sendmail is not the default mail transfer agent and is
@@ -61,24 +75,6 @@
|
| BP28(R1) |
- Uninstall talk Package |
-
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
- |
-
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
- |
-
-
- | BP28(R1) |
Uninstall talk-server Package |
The talk-server package can be removed with the following command: $ sudo yum erase talk-server
@@ -108,34 +104,19 @@
|
| BP28(R1) |
- Uninstall tftp-server Package |
-
- The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
- |
-
- Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
- |
-
-
- | BP28(R1) |
- Uninstall DHCP Server Package |
+ Uninstall rsh-server Package |
- If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp-server package can be removed with the following command:
+ The rsh-server package can be removed with the following command:
-$ sudo yum erase dhcp-server
+$ sudo yum erase rsh-server
|
- Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
+ The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
+could be compromised. The rsh-server package provides several obsolete and insecure
+network services. Removing it decreases the risk of those services' accidental (or intentional)
+activation.
|
@@ -156,18 +137,6 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
-
- The telnet daemon should be uninstalled.
- |
-
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
- |
-
-
| BP28(R1) |
Remove tftp Daemon |
@@ -184,19 +153,84 @@
|
| BP28(R1) |
- Uninstall rsh-server Package |
+ Uninstall rsh Package |
- The rsh-server package can be removed with the following command:
+
+The rsh package contains the client commands
+
+for the rsh services
+ |
+
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
+ |
+
+
+ | BP28(R1) |
+ Uninstall DHCP Server Package |
+
+ If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp-server package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase dhcp-server
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
+ |
+
+
+ | BP28(R1) |
+ Uninstall talk Package |
+
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
+ |
+
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
+ |
+
+
+ | BP28(R1) |
+ Uninstall tftp-server Package |
+
+ The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ |
+
+ Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
+ |
+
+
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
+
+ The telnet daemon should be uninstalled.
+ |
+
+ telnet allows clear text communications, and does not protect
/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,15 +65,77 @@
|
+ 3.1.1
3.1.5 |
+ Prevent Login to Accounts With Empty Password |
+
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ |
+
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Virtual Console Root Logins |
+
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ |
+
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
+
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
+ |
+
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ |
+
+
3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -82,20 +144,18 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
@@ -121,14 +181,14 @@
3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -137,23 +197,20 @@
|
- 3.1.1
3.1.5 |
- Prevent Login to Accounts With Empty Password |
+ 3.1.1 |
+ Disable GDM Guest Login |
- If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-nullok in
-
-/etc/pam.d/system-auth and
-/etc/pam.d/password-auth
-
-to prevent logins with empty passwords.
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
|
- If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
|
@@ -200,63 +257,6 @@
- 3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
- To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
- Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
-
- To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -44,215 +44,141 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE |
- At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system should collect detailed unauthorized file accesses for
+all users and root. The open syscall can be used to modify files
+if called for write operation of with O_TRUNC_WRITE flag.
+The following auidt rules will asure that unsuccessful attempts to modify a
+file via open syscall are collected.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- |
-
- Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
- |
-
-
- | AU-2(a) |
- Configure auditing of loading and unloading of kernel modules |
-
- Ensure that loading and unloading of kernel modules is audited.
-
-The following rules configure audit as described above:
-## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-Load new Audit rules into kernel by running:
-augenrules --load
- |
-
- Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
- |
-
-
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on Kernel Module Loading and Unloading |
-
- To capture kernel module loading and unloading events, use following lines, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
--a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-The place to add the lines depends on a way auditd daemon is configured. If it is configured
-to use the augenrules program (the default), add the lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl utility,
-add the lines to file /etc/audit/audit.rules.
|
- The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Attempts to Alter Time Through clock_settime |
+ Record Access Events to Audit Log Directory |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+ The audit system should collect access events to read audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport.
-Multiple system calls can be defined on the same line to save space if
-desired, but is not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+utility to read audit rules during daemon startup, add the rule to
+/etc/audit/audit.rules file.
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - removexattr |
+ Record Unsuccessful Permission Changes to Files - fsetxattr |
- At a minimum, the audit system should collect file permission
-changes for all users and root.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-following line to a file with suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-
+ The audit system should collect unsuccessful file permission change
+attempts for all users and root.
+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines:
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on Exporting to Media (successful) |
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -99,16 +99,18 @@
|
| Req-1.4.1 |
- Install iptables Package |
+ Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
- The iptables package can be installed with the following command:
-
-$ sudo yum install iptables
+ To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
|
- iptables controls the Linux kernel network packet filtering
-code. iptables allows system operators to set up firewalls and IP
-masquerading, etc.
+ A TCP SYN flood attack can cause a denial of service by filling a
+system's TCP connection table with connections in the SYN_RCVD state.
+Syncookies can be used to track a connection when a subsequent ACK is received,
+verifying the initiator is attempting a valid connection and is not a flood
+source. This feature is activated when a flood condition is detected, and
+enables the system to continue servicing valid connection requests.
|
@@ -129,22 +131,6 @@
| Req-1.4.1 |
- Set configuration for IPv6 loopback traffic |
-
- Configure the loopback interface to accept traffic.
-Configure all other interfaces to deny traffic to the loopback
-network.
- |
-
- Loopback traffic is generated between processes on machine and is
-typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen,
-all other interfaces should ignore traffic on this network as an
-anti-spoofing measure.
- |
-
-
- | Req-1.4.1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
@@ -165,18 +151,32 @@
|
| Req-1.4.1 |
- Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
+ Install iptables Package |
- To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
+ The iptables package can be installed with the following command:
+
+$ sudo yum install iptables
|
- A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.
+ iptables controls the Linux kernel network packet filtering
+code. iptables allows system operators to set up firewalls and IP
+masquerading, etc.
+ |
+
+
+ | Req-1.4.1 |
+ Set configuration for IPv6 loopback traffic |
+
+ Configure the loopback interface to accept traffic.
+Configure all other interfaces to deny traffic to the loopback
+network.
+ |
+
+ Loopback traffic is generated between processes on machine and is
+typically critical to operation of the system. The loopback interface
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
+anti-spoofing measure.
|
@@ -224,22 +224,6 @@
| Req-1.4.3 |
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
- |
-
- ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
- |
-
-
- | Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -255,27 +239,18 @@
|
| Req-1.4.3 |
- Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
- |
-
- Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
- |
-
-
- | Req-1.4.3 |
- Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
+ Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
- To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
|
- Accepting "secure" ICMP redirects (from those gateways listed as
-default gateways) has few legitimate uses. It should be disabled unless it is
-absolutely required.
+ ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
|
@@ -298,6 +273,19 @@
| Req-1.4.3 |
+ Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
+ |
+
+ Accepting "secure" ICMP redirects (from those gateways listed as
+default gateways) has few legitimate uses. It should be disabled unless it is
+absolutely required.
+ |
+
+
+ | Req-1.4.3 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
@@ -312,20 +300,15 @@
|
- | Req-2.2 |
- Configure OpenSSL library to use System Crypto Policy |
+ Req-1.4.3 |
+ Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
- Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
-set up to ignore it.
-To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
-available under /etc/pki/tls/openssl.cnf.
-This file has the ini format, and it enables crypto policy support
-if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.
+ To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
- Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
-and makes system configuration more fragmented.
+ Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
|
/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -44,207 +44,141 @@
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE |
- At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system should collect detailed unauthorized file accesses for
+all users and root. The open syscall can be used to modify files
+if called for write operation of with O_TRUNC_WRITE flag.
+The following auidt rules will asure that unsuccessful attempts to modify a
+file via open syscall are collected.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F auid>=1000 -F auid!=unset -F key=privileged
- |
-
- Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
- |
-
-
- | AU-2(a) |
- Configure auditing of loading and unloading of kernel modules |
-
- Ensure that loading and unloading of kernel modules is audited.
-
-The following rules configure audit as described above:
-## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-Load new Audit rules into kernel by running:
-augenrules --load
- |
-
- Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
- |
-
-
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on Kernel Module Loading and Unloading |
-
- To capture kernel module loading and unloading events, use following lines, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
--a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-The place to add the lines depends on a way auditd daemon is configured. If it is configured
-to use the augenrules program (the default), add the lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl utility,
-add the lines to file /etc/audit/audit.rules.
|
- The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Attempts to Alter Time Through clock_settime |
+ Record Access Events to Audit Log Directory |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+ The audit system should collect access events to read audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport.
-Multiple system calls can be defined on the same line to save space if
-desired, but is not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+utility to read audit rules during daemon startup, add the rule to
+/etc/audit/audit.rules file.
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - removexattr |
+ Record Unsuccessful Permission Changes to Files - fsetxattr |
- At a minimum, the audit system should collect file permission
-changes for all users and root.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-following line to a file with suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
+ The audit system should collect unsuccessful file permission change
+attempts for all users and root.
+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines:
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on Exporting to Media (successful) |
- At a minimum, the audit system should collect file permission
-changes for all users and root.
-
-If the auditd daemon is configured
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
|
| BP28(R1) |
+ Remove telnet Clients |
+
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 7.
+ |
+
+
+ | BP28(R1) |
Uninstall Sendmail Package |
Sendmail is not the default mail transfer agent and is
@@ -61,24 +75,6 @@
|
| BP28(R1) |
- Uninstall talk Package |
-
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
- |
-
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
- |
-
-
- | BP28(R1) |
Uninstall talk-server Package |
The talk-server package can be removed with the following command: $ sudo yum erase talk-server
@@ -108,34 +104,19 @@
|
| BP28(R1) |
- Uninstall tftp-server Package |
-
- The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
- |
-
- Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
- |
-
-
- | BP28(R1) |
- Uninstall DHCP Server Package |
+ Uninstall rsh-server Package |
- If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp package can be removed with the following command:
+ The rsh-server package can be removed with the following command:
-$ sudo yum erase dhcp
+$ sudo yum erase rsh-server
|
- Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
+ The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
+could be compromised. The rsh-server package provides several obsolete and insecure
+network services. Removing it decreases the risk of those services' accidental (or intentional)
+activation.
|
@@ -156,18 +137,6 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
-
- The telnet daemon should be uninstalled.
- |
-
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
- |
-
-
| BP28(R1) |
Remove tftp Daemon |
@@ -184,19 +153,84 @@
|
| BP28(R1) |
- Uninstall rsh-server Package |
+ Uninstall rsh Package |
- The rsh-server package can be removed with the following command:
+
+The rsh package contains the client commands
+
+for the rsh services
+ |
+
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
+ |
+
+
+ | BP28(R1) |
+ Uninstall DHCP Server Package |
+
+ If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase dhcp
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
+ |
+
+
+ | BP28(R1) |
+ Uninstall talk Package |
+
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
+ |
+
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
+ |
+
+
+ | BP28(R1) |
+ Uninstall tftp-server Package |
+
+ The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ |
+
+ Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
+ |
+
+
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
+
+ The telnet daemon should be uninstalled.
+ |
+
+ telnet allows clear text communications, and does not protect
/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -70,6 +70,26 @@
|
| 1.1.1.2 |
+ Disable Mounting of freevxfs |
+
+
+To configure the system to prevent the freevxfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:
+install freevxfs /bin/true
+
+To configure the system to prevent the freevxfs from being used,
+add the following line to file /etc/modprobe.d/freevxfs.conf:
+blacklist freevxfs
+
+This effectively prevents usage of this uncommon filesystem.
+ |
+
+ Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+ |
+
+
+ | 1.1.1.2 |
Disable Mounting of squashfs |
@@ -94,26 +114,6 @@
|
- | 1.1.1.2 |
- Disable Mounting of freevxfs |
-
-
-To configure the system to prevent the freevxfs
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:
-install freevxfs /bin/true
-
-To configure the system to prevent the freevxfs from being used,
-add the following line to file /etc/modprobe.d/freevxfs.conf:
-blacklist freevxfs
-
-This effectively prevents usage of this uncommon filesystem.
- |
-
- Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.
- |
-
-
| 1.1.1.3 |
Disable Mounting of udf |
@@ -624,6 +624,23 @@
|
| 1.2.3 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+ To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+ Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | 1.2.3 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -651,23 +668,6 @@
|
- | 1.2.3 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
- To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
- Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
| 1.2.5 |
Disable Red Hat Network Service (rhnsd) |
@@ -688,18 +688,6 @@
|
| 1.3.1 |
- Install AIDE |
-
- The aide package can be installed with the following command:
-
-$ sudo yum install aide
- |
-
- The AIDE package must be installed if it is to be available for integrity checking.
- |
-
-
- | 1.3.1 |
Build and Test AIDE Database |
Run the following command to generate a new database:
@@ -727,6 +715,18 @@
|
+ | 1.3.1 |
+ Install AIDE |
+
+ The aide package can be installed with the following command:
+
+$ sudo yum install aide
+ |
+
+ The AIDE package must be installed if it is to be available for integrity checking.
+ |
+
+
| 1.3.2 |
Configure Periodic Execution of AIDE |
@@ -815,74 +815,58 @@
|
| 1.4.2 |
- Verify /boot/efi/EFI/redhat/user.cfg Permissions |
-
- File permissions for /boot/efi/EFI/redhat/user.cfg should be set to 600.
-
-To properly set the permissions of /boot/efi/EFI/redhat/user.cfg, run the command:
-$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg
- |
-
- Proper permissions ensure that only the root user can read or modify important boot
-parameters.
- |
-
-
- | 1.4.2 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
| 1.4.2 |
- Verify /boot/efi/EFI/redhat/user.cfg Group Ownership |
+ Verify /boot/grub2/user.cfg User Ownership |
- The file /boot/efi/EFI/redhat/user.cfg should be group-owned by the
-root group to prevent reading or modification of the file.
+ The file /boot/grub2/user.cfg should be owned by the root
+user to prevent reading or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/user.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/user.cfg
+To properly set the owner of /boot/grub2/user.cfg, run the command:
+$ sudo chown root /boot/grub2/user.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway. Non-root users who read the boot parameters
-may be able to identify weaknesses in security upon boot and be able to exploit them.
+ Only root should be able to modify important boot parameters. Also, non-root users who read
/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,15 +65,77 @@
|
+ 3.1.1
3.1.5 |
+ Prevent Login to Accounts With Empty Password |
+
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ |
+
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Virtual Console Root Logins |
+
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ |
+
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
+
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
+ |
+
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ |
+
+
3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -82,20 +144,18 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
@@ -121,14 +181,14 @@
3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -137,23 +197,20 @@
|
- 3.1.1
3.1.5 |
- Prevent Login to Accounts With Empty Password |
+ 3.1.1 |
+ Disable GDM Guest Login |
- If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-nullok in
-
-/etc/pam.d/system-auth and
-/etc/pam.d/password-auth
-
-to prevent logins with empty passwords.
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
|
- If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
|
@@ -200,63 +257,6 @@
- 3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
- To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
- Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
-
- To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -44,186 +44,141 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE |
- At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system should collect detailed unauthorized file accesses for
+all users and root. The open syscall can be used to modify files
+if called for write operation of with O_TRUNC_WRITE flag.
+The following auidt rules will asure that unsuccessful attempts to modify a
+file via open syscall are collected.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- |
-
- Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
- |
-
-
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on Kernel Module Loading and Unloading |
-
- To capture kernel module loading and unloading events, use following lines, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
--a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-The place to add the lines depends on a way auditd daemon is configured. If it is configured
-to use the augenrules program (the default), add the lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl utility,
-add the lines to file /etc/audit/audit.rules.
|
- The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Attempts to Alter Time Through clock_settime |
+ Record Access Events to Audit Log Directory |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+ The audit system should collect access events to read audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport.
-Multiple system calls can be defined on the same line to save space if
-desired, but is not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+utility to read audit rules during daemon startup, add the rule to
+/etc/audit/audit.rules file.
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - removexattr |
+ Record Unsuccessful Permission Changes to Files - fsetxattr |
- At a minimum, the audit system should collect file permission
-changes for all users and root.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-following line to a file with suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
+ The audit system should collect unsuccessful file permission change
+attempts for all users and root.
+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines:
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on Exporting to Media (successful) |
- At a minimum, the audit system should collect file permission
-changes for all users and root.
-
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
+ At a minimum, the audit system should collect media exportation
+events for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -79,37 +79,51 @@
|
| FAU_GEN.1 |
- Set number of records to cause an explicit flush to audit logs |
+ Enable auditd Service |
- To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set freq to 50
-in /etc/audit/auditd.conf.
+ The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
|
- If option freq isn't set to , the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.
+ Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
|
| FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Include Local Events in Audit Logs |
- To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
|
- Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+ If option local_events isn't set to yes only events from
+network will be aggregated.
+ |
+
+
+ | FAU_GEN.1 |
+ Set number of records to cause an explicit flush to audit logs |
+
+ To configure Audit daemon to issue an explicit flush to disk command
+after writing 50 records, set freq to 50
+in /etc/audit/auditd.conf.
+ |
+
+ If option freq isn't set to , the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
|
@@ -135,148 +149,183 @@
| FAU_GEN.1 |
- Include Local Events in Audit Logs |
+ Ensure the audit Subsystem is Installed |
- To configure Audit daemon to include local events in Audit logs, set
-local_events to yes in /etc/audit/auditd.conf.
-This is the default setting.
+ The audit package should be installed.
|
- If option local_events isn't set to yes only events from
-network will be aggregated.
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
|
| FAU_GEN.1 |
- Enable auditd Service |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+ Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
- | FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ FAU_GEN.1.1.c |
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE |
- The audit package should be installed.
+ The audit system should collect detailed unauthorized file accesses for
+all users and root. The open syscall can be used to modify files
+if called for write operation of with O_TRUNC_WRITE flag.
+The following auidt rules will asure that unsuccessful attempts to modify a
+file via open syscall are collected.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
|
- The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
| FAU_GEN.1.1.c |
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow |
+ Record Access Events to Audit Log Directory |
- The audit system should collect write events to /etc/shadow file for all users and root.
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+ The audit system should collect access events to read audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the rule to
+/etc/audit/audit.rules file.
+ |
+
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'
+ |
+
+
+ | FAU_GEN.1.1.c |
+ Record Attempts to Alter Logon and Logout Events - faillock |
+
+ The audit system already collects login information for all users
+and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -99,16 +99,18 @@
|
| Req-1.4.1 |
- Install iptables Package |
+ Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
- The iptables package can be installed with the following command:
-
-$ sudo yum install iptables
+ To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
|
- iptables controls the Linux kernel network packet filtering
-code. iptables allows system operators to set up firewalls and IP
-masquerading, etc.
+ A TCP SYN flood attack can cause a denial of service by filling a
+system's TCP connection table with connections in the SYN_RCVD state.
+Syncookies can be used to track a connection when a subsequent ACK is received,
+verifying the initiator is attempting a valid connection and is not a flood
+source. This feature is activated when a flood condition is detected, and
+enables the system to continue servicing valid connection requests.
|
@@ -129,22 +131,6 @@
| Req-1.4.1 |
- Set configuration for IPv6 loopback traffic |
-
- Configure the loopback interface to accept traffic.
-Configure all other interfaces to deny traffic to the loopback
-network.
- |
-
- Loopback traffic is generated between processes on machine and is
-typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen,
-all other interfaces should ignore traffic on this network as an
-anti-spoofing measure.
- |
-
-
- | Req-1.4.1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
@@ -165,18 +151,32 @@
|
| Req-1.4.1 |
- Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
+ Install iptables Package |
- To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
+ The iptables package can be installed with the following command:
+
+$ sudo yum install iptables
|
- A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.
+ iptables controls the Linux kernel network packet filtering
+code. iptables allows system operators to set up firewalls and IP
+masquerading, etc.
+ |
+
+
+ | Req-1.4.1 |
+ Set configuration for IPv6 loopback traffic |
+
+ Configure the loopback interface to accept traffic.
+Configure all other interfaces to deny traffic to the loopback
+network.
+ |
+
+ Loopback traffic is generated between processes on machine and is
+typically critical to operation of the system. The loopback interface
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
+anti-spoofing measure.
|
@@ -224,22 +224,6 @@
| Req-1.4.3 |
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
- |
-
- ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
- |
-
-
- | Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -255,27 +239,18 @@
|
| Req-1.4.3 |
- Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
- |
-
- Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
- |
-
-
- | Req-1.4.3 |
- Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
+ Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
- To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
|
- Accepting "secure" ICMP redirects (from those gateways listed as
-default gateways) has few legitimate uses. It should be disabled unless it is
-absolutely required.
+ ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
|
@@ -298,6 +273,19 @@
| Req-1.4.3 |
+ Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
+ |
+
+ Accepting "secure" ICMP redirects (from those gateways listed as
+default gateways) has few legitimate uses. It should be disabled unless it is
+absolutely required.
+ |
+
+
+ | Req-1.4.3 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
@@ -312,6 +300,32 @@
|
+ | Req-1.4.3 |
+ Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
+ |
+
+ Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
+ |
+
+
+ | Req-2.2.1 |
+ Enable NX or XD Support in the BIOS |
+
+ Reboot the system and enter the BIOS or Setup configuration menu.
+Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
+under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
+on AMD-based systems.
+ |
+
+ Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
+allow users to turn the feature on or off at will.
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
|
| BP28(R1) |
+ Remove telnet Clients |
+
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.
+ |
+
+
+ | BP28(R1) |
Uninstall Sendmail Package |
Sendmail is not the default mail transfer agent and is
@@ -61,24 +75,6 @@
|
| BP28(R1) |
- Uninstall talk Package |
-
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
- |
-
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
- |
-
-
- | BP28(R1) |
Uninstall talk-server Package |
The talk-server package can be removed with the following command: $ sudo yum erase talk-server
@@ -108,34 +104,19 @@
|
| BP28(R1) |
- Uninstall tftp-server Package |
-
- The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
- |
-
- Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
- |
-
-
- | BP28(R1) |
- Uninstall DHCP Server Package |
+ Uninstall rsh-server Package |
- If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp-server package can be removed with the following command:
+ The rsh-server package can be removed with the following command:
-$ sudo yum erase dhcp-server
+$ sudo yum erase rsh-server
|
- Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
+ The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
+could be compromised. The rsh-server package provides several obsolete and insecure
+network services. Removing it decreases the risk of those services' accidental (or intentional)
+activation.
|
@@ -156,18 +137,6 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
-
- The telnet daemon should be uninstalled.
- |
-
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
- |
-
-
| BP28(R1) |
Remove tftp Daemon |
@@ -184,19 +153,84 @@
|
| BP28(R1) |
- Uninstall rsh-server Package |
+ Uninstall rsh Package |
- The rsh-server package can be removed with the following command:
+
+The rsh package contains the client commands
+
+for the rsh services
+ |
+
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
+ |
+
+
+ | BP28(R1) |
+ Uninstall DHCP Server Package |
+
+ If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp-server package can be removed with the following command:
-$ sudo yum erase rsh-server
+$ sudo yum erase dhcp-server
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
+ |
+
+
+ | BP28(R1) |
+ Uninstall talk Package |
+
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
+ |
+
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
+ |
+
+
+ | BP28(R1) |
+ Uninstall tftp-server Package |
+
+ The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ |
+
+ Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
+ |
+
+
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
+
+ The telnet daemon should be uninstalled.
+ |
+
+ telnet allows clear text communications, and does not protect
/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -70,51 +70,51 @@
|
| 1.1.1.2 |
- Disable Mounting of squashfs |
+ Disable Mounting of vFAT filesystems |
-To configure the system to prevent the squashfs
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
-install squashfs /bin/true
+To configure the system to prevent the vfat
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf:
+install vfat /bin/true
-To configure the system to prevent the squashfs from being used,
-add the following line to file /etc/modprobe.d/squashfs.conf:
-blacklist squashfs
+To configure the system to prevent the vfat from being used,
+add the following line to file /etc/modprobe.d/vfat.conf:
+blacklist vfat
This effectively prevents usage of this uncommon filesystem.
-The squashfs filesystem type is a compressed read-only Linux
-filesystem embedded in small footprint systems (similar to
-cramfs). A squashfs image can be used without having
-to first decompress the image.
+The vFAT filesystem format is primarily used on older
+windows systems and portable USB drives or flash modules. It comes
+in three types FAT12, FAT16, and FAT32
+all of which are supported by the vfat kernel module.
|
- Removing support for unneeded filesystem types reduces the local attack
+ Removing support for unneeded filesystems reduces the local attack
surface of the system.
|
| 1.1.1.2 |
- Disable Mounting of vFAT filesystems |
+ Disable Mounting of squashfs |
-To configure the system to prevent the vfat
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf:
-install vfat /bin/true
+To configure the system to prevent the squashfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
+install squashfs /bin/true
-To configure the system to prevent the vfat from being used,
-add the following line to file /etc/modprobe.d/vfat.conf:
-blacklist vfat
+To configure the system to prevent the squashfs from being used,
+add the following line to file /etc/modprobe.d/squashfs.conf:
+blacklist squashfs
This effectively prevents usage of this uncommon filesystem.
-The vFAT filesystem format is primarily used on older
-windows systems and portable USB drives or flash modules. It comes
-in three types FAT12, FAT16, and FAT32
-all of which are supported by the vfat kernel module.
+The squashfs filesystem type is a compressed read-only Linux
+filesystem embedded in small footprint systems (similar to
+cramfs). A squashfs image can be used without having
+to first decompress the image.
|
- Removing support for unneeded filesystems reduces the local attack
+ Removing support for unneeded filesystem types reduces the local attack
surface of the system.
|
@@ -708,6 +708,25 @@
| 1.2.2 |
+ Disable Red Hat Network Service (rhnsd) |
+
+ The Red Hat Network service automatically queries Red Hat Network
+servers to determine whether there are any actions that should be executed,
+such as package updates. This only occurs if the system was registered to an
+RHN server or satellite and managed as such.
+
+The rhnsd service can be disabled with the following command:
+$ sudo systemctl mask --now rhnsd.service
+ |
+
+ Although systems management and patching is extremely important to
+system security, management by a system outside the enterprise enclave is not
+desirable for some environments. However, if the system is being managed by RHN or
+ RHN Satellite Server the rhnsd daemon can remain on.
+ |
+
+
+ | 1.2.2 |
Ensure Red Hat GPG Key Installed |
To ensure the system can cryptographically verify base software packages
@@ -736,25 +755,6 @@
|
- | 1.2.2 |
- Disable Red Hat Network Service (rhnsd) |
-
- The Red Hat Network service automatically queries Red Hat Network
-servers to determine whether there are any actions that should be executed,
-such as package updates. This only occurs if the system was registered to an
-RHN server or satellite and managed as such.
-
-The rhnsd service can be disabled with the following command:
-$ sudo systemctl mask --now rhnsd.service
- |
-
- Although systems management and patching is extremely important to
-system security, management by a system outside the enterprise enclave is not
-desirable for some environments. However, if the system is being managed by RHN or
- RHN Satellite Server the rhnsd daemon can remain on.
- |
-
-
| 1.2.3 |
Enable authselect |
@@ -800,18 +800,6 @@
|
| 1.3.1 |
- Install AIDE |
-
- The aide package can be installed with the following command:
-
-$ sudo yum install aide
- |
-
- The AIDE package must be installed if it is to be available for integrity checking.
- |
-
-
- | 1.3.1 |
Build and Test AIDE Database |
Run the following command to generate a new database:
@@ -839,6 +827,18 @@
|
+ | 1.3.1 |
+ Install AIDE |
+
+ The aide package can be installed with the following command:
+
+$ sudo yum install aide
+ |
+
+ The AIDE package must be installed if it is to be available for integrity checking.
+ |
+
+
| 1.3.2 |
Configure Periodic Execution of AIDE |
@@ -927,74 +927,58 @@
|
| 1.4.2 |
- Verify /boot/efi/EFI/redhat/user.cfg Permissions |
-
- File permissions for /boot/efi/EFI/redhat/user.cfg should be set to 600.
-
-To properly set the permissions of /boot/efi/EFI/redhat/user.cfg, run the command:
-$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg
- |
-
- Proper permissions ensure that only the root user can read or modify important boot
-parameters.
- |
-
-
- | 1.4.2 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
|
/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,15 +65,77 @@
+ 3.1.1
3.1.5 |
+ Prevent Login to Accounts With Empty Password |
+
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ |
+
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Virtual Console Root Logins |
+
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ |
+
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
+
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
+ |
+
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ |
+
+
3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -82,20 +144,18 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
@@ -121,14 +181,14 @@
3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -137,23 +197,20 @@
|
- 3.1.1
3.1.5 |
- Prevent Login to Accounts With Empty Password |
+ 3.1.1 |
+ Disable GDM Guest Login |
- If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-nullok in
-
-/etc/pam.d/system-auth and
-/etc/pam.d/password-auth
-
-to prevent logins with empty passwords.
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
|
- If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
|
@@ -200,63 +257,6 @@
- 3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
- To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
- Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
-
- To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -44,215 +44,141 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE |
- At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+ The audit system should collect detailed unauthorized file accesses for
+all users and root. The open syscall can be used to modify files
+if called for write operation of with O_TRUNC_WRITE flag.
+The following auidt rules will asure that unsuccessful attempts to modify a
+file via open syscall are collected.
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/pam_timestamp_check
--F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- |
-
- Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
- |
-
-
- | AU-2(a) |
- Configure auditing of loading and unloading of kernel modules |
-
- Ensure that loading and unloading of kernel modules is audited.
-
-The following rules configure audit as described above:
-## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
-Load new Audit rules into kernel by running:
-augenrules --load
- |
-
- Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.
- |
-
-
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Ensure auditd Collects Information on Kernel Module Loading and Unloading |
-
- To capture kernel module loading and unloading events, use following lines, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
--a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-The place to add the lines depends on a way auditd daemon is configured. If it is configured
-to use the augenrules program (the default), add the lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
-
-If the auditd daemon is configured to use the auditctl utility,
-add the lines to file /etc/audit/audit.rules.
|
- The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Attempts to Alter Time Through clock_settime |
+ Record Access Events to Audit Log Directory |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix .rules in the
-directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+ The audit system should collect access events to read audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix .rules in the directory
+/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport.
-Multiple system calls can be defined on the same line to save space if
-desired, but is not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+utility to read audit rules during daemon startup, add the rule to
+/etc/audit/audit.rules file.
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - removexattr |
+ Record Unsuccessful Permission Changes to Files - fsetxattr |
- At a minimum, the audit system should collect file permission
-changes for all users and root.
-
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-following line to a file with suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
-
+ The audit system should collect unsuccessful file permission change
+attempts for all users and root.
+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod
-
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines:
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on Exporting to Media (successful) |
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-12-05 00:00:00.000000000 +0000
@@ -99,16 +99,18 @@
|
| Req-1.4.1 |
- Install iptables Package |
+ Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
- The iptables package can be installed with the following command:
-
-$ sudo yum install iptables
+ To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
|
- iptables controls the Linux kernel network packet filtering
-code. iptables allows system operators to set up firewalls and IP
-masquerading, etc.
+ A TCP SYN flood attack can cause a denial of service by filling a
+system's TCP connection table with connections in the SYN_RCVD state.
+Syncookies can be used to track a connection when a subsequent ACK is received,
+verifying the initiator is attempting a valid connection and is not a flood
+source. This feature is activated when a flood condition is detected, and
+enables the system to continue servicing valid connection requests.
|
@@ -129,22 +131,6 @@
| Req-1.4.1 |
- Set configuration for IPv6 loopback traffic |
-
- Configure the loopback interface to accept traffic.
-Configure all other interfaces to deny traffic to the loopback
-network.
- |
-
- Loopback traffic is generated between processes on machine and is
-typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen,
-all other interfaces should ignore traffic on this network as an
-anti-spoofing measure.
- |
-
-
- | Req-1.4.1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
@@ -165,18 +151,32 @@
|
| Req-1.4.1 |
- Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
+ Install iptables Package |
- To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
+ The iptables package can be installed with the following command:
+
+$ sudo yum install iptables
|
- A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.
+ iptables controls the Linux kernel network packet filtering
+code. iptables allows system operators to set up firewalls and IP
+masquerading, etc.
+ |
+
+
+ | Req-1.4.1 |
+ Set configuration for IPv6 loopback traffic |
+
+ Configure the loopback interface to accept traffic.
+Configure all other interfaces to deny traffic to the loopback
+network.
+ |
+
+ Loopback traffic is generated between processes on machine and is
+typically critical to operation of the system. The loopback interface
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
+anti-spoofing measure.
|
@@ -224,22 +224,6 @@
| Req-1.4.3 |
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
- |
-
- ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
- |
-
-
- | Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -255,27 +239,18 @@
|
| Req-1.4.3 |
- Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
- |
-
- Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
- |
-
-
- | Req-1.4.3 |
- Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
+ Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
- To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
|
- Accepting "secure" ICMP redirects (from those gateways listed as
-default gateways) has few legitimate uses. It should be disabled unless it is
-absolutely required.
+ ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
|
@@ -298,6 +273,19 @@
| Req-1.4.3 |
+ Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0
+ |
+
+ Accepting "secure" ICMP redirects (from those gateways listed as
+default gateways) has few legitimate uses. It should be disabled unless it is
+absolutely required.
+ |
+
+
+ | Req-1.4.3 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
@@ -312,20 +300,15 @@
|
- | Req-2.2 |
- Configure OpenSSL library to use System Crypto Policy |
+ Req-1.4.3 |
+ Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
- Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
-set up to ignore it.
-To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
-available under /etc/pki/tls/openssl.cnf.
-This file has the ini format, and it enables crypto policy support
-if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.
+ To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
- Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
-and makes system configuration more fragmented.
+ Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
|
/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 7
+1DISA STIG for Red Hat Enterprise Linux 7
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux V3R9.
/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 8
+1DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux 8 V1R8.
/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -172,7 +172,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -225,26 +225,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -253,30 +272,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -289,29 +313,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -328,19 +358,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -348,9 +368,9 @@
-
+
-
+
@@ -358,40 +378,20 @@
-
-
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -174,7 +174,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -227,26 +227,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -255,30 +274,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -291,29 +315,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -330,19 +360,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -350,9 +370,9 @@
-
+
-
+
@@ -360,40 +380,20 @@
-
-
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,26 +51,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -79,30 +98,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -115,29 +139,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -154,19 +184,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -174,9 +194,9 @@
-
+
-
+
@@ -184,40 +204,20 @@
-
-
-
-
/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -208,7 +208,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -261,15 +261,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
+
-
+
@@ -277,72 +271,73 @@
-
+
-
-
+
-
+
-
-
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -350,105 +345,110 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -210,7 +210,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -263,15 +263,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
+
-
+
@@ -279,72 +273,73 @@
-
+
-
-
+
-
+
-
-
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -352,105 +347,110 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -51,15 +51,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
+
-
+
@@ -67,72 +61,73 @@
-
+
-
-
+
-
+
-
-
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -140,105 +135,110 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -164,7 +164,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -217,38 +217,41 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
+
+
+
+
+
-
+
-
-
-
-
+
+
+
@@ -256,44 +259,41 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -301,29 +301,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -331,39 +316,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -166,7 +166,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -219,38 +219,41 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
+
+
+
+
+
-
+
-
-
-
-
+
+
+
@@ -258,44 +261,41 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -303,29 +303,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -333,39 +318,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -51,38 +51,41 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
+
+
+
+
+
-
+
-
-
-
-
+
+
+
@@ -90,44 +93,41 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -135,29 +135,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -165,39 +150,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -148,7 +148,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -191,27 +191,14 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
+
@@ -219,29 +206,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -249,58 +237,55 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -308,34 +293,49 @@
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -148,7 +148,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -191,27 +191,14 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
+
@@ -219,29 +206,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -249,58 +237,55 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -308,34 +293,49 @@
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,154 +7,166 @@
2022-12-05T00:00:00
-
- Disable Power Settings in GNOME3
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Disable Kernel mac80211 Module
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Configure SSSD to Expire SSH Known Hosts
+
+ Record Successful Permission Changes to Files - removexattr
- ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Enable authselect
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-enable_authselect_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Record Successful Access Attempts to Files - openat
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Add nosuid Option to /tmp
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Add hidepid Option to /proc
+
+ Record Unsuccessful Permission Changes to Files - fsetxattr
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Configure low address space to protect from user allocation
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Configure Kerberos to use System Crypto Policy
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Verify the UEFI Boot Loader grub.cfg Permissions
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1
-
- Uninstall python3-abrt-addon Package
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-package_python3-abrt-addon_removed_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Disable loading and unloading of kernel modules
+
+ Verify No netrc Files Exist
- ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Enable cron Service
+
+ Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
-
- Ensure there are no legacy + NIS entries in /etc/shadow
+
+ Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
- ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1
+ ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_action:testaction:1
-
- Install Virus Scanning Software
+
+ Disable the uvcvideo module
- ocil:ssg-install_antivirus_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Ensure Insecure File Locking is Not Allowed
+
+ Set Default firewalld Zone for Incoming Packets
- ocil:ssg-no_insecure_locks_exports_action:testaction:1
+ ocil:ssg-set_firewalld_default_zone_action:testaction:1
-
- User a virtually-mapped stack
+
+ Add nosuid Option to /var/log/audit
- ocil:ssg-kernel_config_vmap_stack_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
-
- Set the GNOME3 Login Warning Banner Text
+
+ Install scap-security-guide Package
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -43,27 +43,14 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
+
@@ -71,29 +58,30 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -101,58 +89,55 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -160,34 +145,49 @@
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -144,7 +144,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -187,9 +187,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
@@ -197,22 +197,20 @@
-
+
-
-
+
+
-
+
-
-
+
-
-
-
-
+
+
+
@@ -220,44 +218,50 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -265,89 +269,85 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -146,7 +146,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -189,9 +189,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
@@ -199,22 +199,20 @@
-
+
-
-
+
+
-
+
-
-
+
-
-
-
-
+
+
+
@@ -222,44 +220,50 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -267,89 +271,85 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,1714 +7,1714 @@
2022-12-05T00:00:00
-
- User Initialization Files Must Be Group-Owned By The Primary User
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Configure SSSD to Expire SSH Known Hosts
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Record Successful Permission Changes to Files - removexattr
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
-
- The operating system must restrict privilege elevation to authorized personnel
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Record Successful Access Attempts to Files - openat
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Add nosuid Option to /tmp
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Record Unsuccessful Permission Changes to Files - fsetxattr
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1
-
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
+
+ Configure low address space to protect from user allocation
- ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Disable the xserver_object_manager SELinux Boolean
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-sebool_xserver_object_manager_action:testaction:1
-
- Disable SCTP Support
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Verify the UEFI Boot Loader grub.cfg Permissions
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1
-
- Disable loading and unloading of kernel modules
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Enable the cron_userdomain_transition SELinux Boolean
+
+ Verify No netrc Files Exist
- ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Enable cron Service
+
+ Disable the abrt_upload_watch_anon_write SELinux Boolean
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1
-
- Ensure there are no legacy + NIS entries in /etc/shadow
+
+ Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
- ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
-
- Install Virus Scanning Software
+
+ Disable the xdm_write_home SELinux Boolean
- ocil:ssg-install_antivirus_action:testaction:1
+ ocil:ssg-sebool_xdm_write_home_action:testaction:1
-
- Set the GNOME3 Login Warning Banner Text
+
+ Disable Kernel Parameter for IPv6 Forwarding
- ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Disable the uvcvideo module
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Disable kexec system call
+
+ Set Default firewalld Zone for Incoming Packets
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -43,9 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
@@ -53,22 +53,20 @@
-
+
-
-
+
+
-
+
-
-
+
-
-
-
-
+
+
+
@@ -76,44 +74,50 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -121,89 +125,85 @@
-
+
-
+
-
+
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -152,7 +152,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -195,9 +195,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
@@ -205,126 +205,118 @@
-
+
-
-
+
+
-
+
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -332,46 +324,54 @@
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -154,7 +154,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -197,9 +197,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
@@ -207,126 +207,118 @@
-
+
-
-
+
+
-
+
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -334,46 +326,54 @@
/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,676 +7,676 @@
2022-12-05T00:00:00
-
- User Initialization Files Must Be Group-Owned By The Primary User
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Configure SSSD to Expire SSH Known Hosts
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Record Successful Permission Changes to Files - removexattr
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
-
- Enable authselect
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-enable_authselect_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- The operating system must restrict privilege elevation to authorized personnel
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Record Successful Access Attempts to Files - openat
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Add nosuid Option to /tmp
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Record Unsuccessful Permission Changes to Files - fsetxattr
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Configure low address space to protect from user allocation
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
+
+ Disable the xserver_object_manager SELinux Boolean
- ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1
+ ocil:ssg-sebool_xserver_object_manager_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable SCTP Support
+
+ Configure Kerberos to use System Crypto Policy
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Verify the UEFI Boot Loader grub.cfg Permissions
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1
-
- Disable loading and unloading of kernel modules
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Enable the cron_userdomain_transition SELinux Boolean
+
+ Verify No netrc Files Exist
- ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Enable cron Service
+
+ Disable the abrt_upload_watch_anon_write SELinux Boolean
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1
-
- Ensure there are no legacy + NIS entries in /etc/shadow
+
+ Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
- ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
-
- Install Virus Scanning Software
+
+ Record Any Attempts to Run chacl
- ocil:ssg-install_antivirus_action:testaction:1
+ ocil:ssg-audit_rules_execution_chacl_action:testaction:1
-
- Set the GNOME3 Login Warning Banner Text
+
+ Disable the xdm_write_home SELinux Boolean
/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -43,9 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
@@ -53,126 +53,118 @@
-
+
-
-
+
+
-
+
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -180,46 +172,54 @@
/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -136,7 +136,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -179,15 +179,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -196,30 +210,24 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -232,89 +240,81 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -138,7 +138,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -181,15 +181,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -198,30 +212,24 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -234,89 +242,81 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,1241 +7,1240 @@
2022-12-05T00:00:00
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Enable authselect
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-enable_authselect_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- The operating system must restrict privilege elevation to authorized personnel
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Add nosuid Option to /tmp
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Configure low address space to protect from user allocation
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Configure Kerberos to use System Crypto Policy
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Disable SCTP Support
+
+ Verify No netrc Files Exist
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1
-
- Disable loading and unloading of kernel modules
+
+ Record Any Attempts to Run chacl
- ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
+ ocil:ssg-audit_rules_execution_chacl_action:testaction:1
-
- Enable cron Service
+
+ Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_action:testaction:1
-
- Set the GNOME3 Login Warning Banner Text
+
+ Disable the uvcvideo module
- ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Add nosuid Option to /var/log/audit
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
-
- Disable kexec system call
+
+ Install scap-security-guide Package
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-package_scap-security-guide_installed_action:testaction:1
-
- Set SSH Client Alive Count Max
+
+ Record Any Attempts to Run seunshare
- ocil:ssg-sshd_set_keepalive_action:testaction:1
+ ocil:ssg-audit_rules_execution_seunshare_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Prevent Unrestricted Mail Relaying
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-postfix_prevent_unrestricted_relay_action:testaction:1
-
- Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+ Record Unsuccessful Access Attempts to Files - open_by_handle_at
- ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Set SSH Client Alive Count Max
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Ensure All SGID Executables Are Authorized
+
+ Add nosuid Option to /boot
/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -43,15 +43,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -60,30 +74,24 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -96,89 +104,81 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -132,7 +132,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -175,15 +175,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
@@ -192,25 +202,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -223,94 +237,80 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
-
+
+
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -132,7 +132,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -175,15 +175,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
@@ -192,25 +202,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -223,94 +237,80 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
-
+
+
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,94 +7,112 @@
2022-12-05T00:00:00
-
- Disable Kernel mac80211 Module
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Add nosuid Option to /tmp
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Record Unsuccessful Permission Changes to Files - fsetxattr
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1
-
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
+
+ Configure low address space to protect from user allocation
- ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable SCTP Support
+
+ Configure Kerberos to use System Crypto Policy
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Enable cron Service
+
+ Ensure SELinux Not Disabled in zIPL
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-zipl_enable_selinux_action:testaction:1
-
- Ensure there are no legacy + NIS entries in /etc/shadow
+
+ Verify No netrc Files Exist
- ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Disable the uvcvideo module
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Disable kexec system call
+
+ Add nosuid Option to /var/log/audit
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
-
- Install iptables Package
+
+ Record Any Attempts to Run seunshare
- ocil:ssg-package_iptables_installed_action:testaction:1
+ ocil:ssg-audit_rules_execution_seunshare_action:testaction:1
+
+
+
+ Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
+
+ ocil:ssg-network_nmcli_permissions_action:testaction:1
+
+
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
+
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
+
+
+
+ Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
@@ -103,238 +121,238 @@
ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Add nosuid Option to /boot
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-mount_option_boot_nosuid_action:testaction:1
-
- Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+ Verify that Interactive Boot is Disabled
- ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
+ ocil:ssg-coreos_disable_interactive_boot_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Use Centralized and Automated Authentication
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Disable x86 vsyscall emulation
- ocil:ssg-sudo_custom_logfile_action:testaction:1
+ ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -43,15 +43,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
@@ -60,25 +70,29 @@
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -91,94 +105,80 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
-
+
+
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -168,7 +168,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -211,26 +211,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -239,30 +258,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -275,29 +299,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -314,19 +344,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -334,9 +354,9 @@
-
+
-
+
@@ -344,40 +364,20 @@
-
-
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -170,7 +170,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -213,26 +213,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -241,30 +260,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -277,29 +301,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -316,19 +346,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -336,9 +356,9 @@
-
+
-
+
@@ -346,40 +366,20 @@
-
-
/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,2908 +7,2902 @@
2022-12-05T00:00:00
-
- Disable System Statistics Reset Service (sysstat)
-
- ocil:ssg-service_sysstat_disabled_action:testaction:1
-
-
-
- User Initialization Files Must Be Group-Owned By The Primary User
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Disable Power Settings in GNOME3
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Configure SSSD to Expire SSH Known Hosts
+
+ Configure A Valid Server Certificate
- ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
+ ocil:ssg-httpd_configure_valid_server_cert_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Disable the virt_sandbox_use_sys_admin SELinux Boolean
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Record Successful Permission Changes to Files - removexattr
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1
-
- Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean
+
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
- ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
-
- The operating system must restrict privilege elevation to authorized personnel
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Record Successful Access Attempts to Files - openat
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Disable the tor_can_network_relay SELinux Boolean
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-sebool_tor_can_network_relay_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Add nosuid Option to /tmp
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Add hidepid Option to /proc
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Record Unsuccessful Permission Changes to Files - fsetxattr
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1
-
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
+
+ Disable the cdrecord_read_content SELinux Boolean
- ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1
+ ocil:ssg-sebool_cdrecord_read_content_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Configure low address space to protect from user allocation
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Disable SCTP Support
+
+ Disable the xserver_object_manager SELinux Boolean
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-sebool_xserver_object_manager_action:testaction:1
-
- Disable the kdumpgui_run_bootloader SELinux Boolean
+
+ Disable the postgresql_can_rsync SELinux Boolean
- ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1
+ ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Disable the openshift_use_nfs SELinux Boolean
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-sebool_openshift_use_nfs_action:testaction:1
-
- Disable loading and unloading of kernel modules
+
+ Verify Permissions on cron.daily
- ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
+ ocil:ssg-file_permissions_cron_daily_action:testaction:1
-
- Enable the cron_userdomain_transition SELinux Boolean
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Enable IRQ Balance (irqbalance)
+
+ Disable the samba_export_all_ro SELinux Boolean
- ocil:ssg-service_irqbalance_enabled_action:testaction:1
+ ocil:ssg-sebool_samba_export_all_ro_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -43,26 +43,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -71,30 +90,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -107,29 +131,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -146,19 +176,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -166,9 +186,9 @@
-
+
-
+
@@ -176,40 +196,20 @@
-
-
-
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -204,7 +204,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -247,15 +247,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
+
-
+
@@ -263,72 +257,73 @@
-
+
-
-
+
-
+
-
-
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -336,105 +331,110 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -206,7 +206,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -249,15 +249,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
+
-
+
@@ -265,72 +259,73 @@
-
+
-
-
+
-
+
-
-
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -338,105 +333,110 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,3149 +7,3148 @@
2022-12-05T00:00:00
-
- Disable System Statistics Reset Service (sysstat)
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-service_sysstat_disabled_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- User Initialization Files Must Be Group-Owned By The Primary User
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Disable Power Settings in GNOME3
+
+ Configure A Valid Server Certificate
- ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1
+ ocil:ssg-httpd_configure_valid_server_cert_action:testaction:1
-
- Disable Kernel mac80211 Module
+
+ Disable the virt_sandbox_use_sys_admin SELinux Boolean
- ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1
+ ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1
-
- Configure SSSD to Expire SSH Known Hosts
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Record Successful Permission Changes to Files - removexattr
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Enable authselect
+
+ Record Successful Access Attempts to Files - openat
- ocil:ssg-enable_authselect_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
-
- The operating system must restrict privilege elevation to authorized personnel
+
+ Disable the tor_can_network_relay SELinux Boolean
- ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1
+ ocil:ssg-sebool_tor_can_network_relay_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Add nosuid Option to /tmp
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Record Unsuccessful Permission Changes to Files - fsetxattr
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1
-
- Add hidepid Option to /proc
+
+ Disable the cdrecord_read_content SELinux Boolean
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-sebool_cdrecord_read_content_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Configure low address space to protect from user allocation
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Disable the xserver_object_manager SELinux Boolean
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-sebool_xserver_object_manager_action:testaction:1
-
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
+
+ Disable the postgresql_can_rsync SELinux Boolean
- ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1
+ ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Disable the openshift_use_nfs SELinux Boolean
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-sebool_openshift_use_nfs_action:testaction:1
-
- Disable SCTP Support
+
+ Verify Permissions on cron.daily
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-file_permissions_cron_daily_action:testaction:1
-
- Disable the kdumpgui_run_bootloader SELinux Boolean
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Disable the samba_export_all_ro SELinux Boolean
/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -43,15 +43,9 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
+
-
+
@@ -59,72 +53,73 @@
-
+
-
-
+
-
+
-
-
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -132,105 +127,110 @@
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -160,7 +160,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -203,38 +203,41 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
+
+
+
+
+
-
+
-
-
-
-
+
+
+
@@ -242,44 +245,41 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -287,29 +287,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -317,39 +302,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -162,7 +162,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -205,38 +205,41 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
+
+
+
+
+
-
+
-
-
-
-
+
+
+
@@ -244,44 +247,41 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -289,29 +289,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -319,39 +304,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,802 +7,802 @@
2022-12-05T00:00:00
-
- Disable Power Settings in GNOME3
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Disable Kernel mac80211 Module
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Disable the virt_sandbox_use_sys_admin SELinux Boolean
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-sebool_virt_sandbox_use_sys_admin_action:testaction:1
-
- Configure auditing of successful ownership changes (AArch64)
+
+ Record Successful Permission Changes to Files - removexattr
- ocil:ssg-audit_owner_change_success_aarch64_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Enable authselect
+
+ Configure auditing of unsuccessful file modifications (ppc64le)
- ocil:ssg-enable_authselect_action:testaction:1
+ ocil:ssg-audit_modify_failed_ppc64le_action:testaction:1
-
- The operating system must restrict privilege elevation to authorized personnel
+
+ Record Successful Access Attempts to Files - openat
- ocil:ssg-sudo_restrict_privilege_elevation_to_authorized_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Disable the tor_can_network_relay SELinux Boolean
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-sebool_tor_can_network_relay_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Add nosuid Option to /tmp
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Add hidepid Option to /proc
+
+ Record Unsuccessful Permission Changes to Files - fsetxattr
- ocil:ssg-mount_option_proc_hidepid_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1
-
- Configure auditing of loading and unloading of kernel modules
+
+ Disable the cdrecord_read_content SELinux Boolean
- ocil:ssg-audit_module_load_action:testaction:1
+ ocil:ssg-sebool_cdrecord_read_content_action:testaction:1
-
- Make sure that the dconf databases are up-to-date with regards to respective keyfiles
+
+ Configure low address space to protect from user allocation
- ocil:ssg-dconf_db_up_to_date_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
+
+ Disable the xserver_object_manager SELinux Boolean
- ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1
+ ocil:ssg-sebool_xserver_object_manager_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Disable the postgresql_can_rsync SELinux Boolean
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-sebool_postgresql_can_rsync_action:testaction:1
-
- Disable SCTP Support
+
+ Disable the openshift_use_nfs SELinux Boolean
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-sebool_openshift_use_nfs_action:testaction:1
-
- Disable the kdumpgui_run_bootloader SELinux Boolean
+
+ Verify Permissions on cron.daily
- ocil:ssg-sebool_kdumpgui_run_bootloader_action:testaction:1
+ ocil:ssg-file_permissions_cron_daily_action:testaction:1
-
- Add noexec Option to /var/log
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-mount_option_var_log_noexec_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable loading and unloading of kernel modules
+
+ Disable the samba_export_all_ro SELinux Boolean
- ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
+ ocil:ssg-sebool_samba_export_all_ro_action:testaction:1
-
- Enable the cron_userdomain_transition SELinux Boolean
+
+ Configure Kerberos to use System Crypto Policy
/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -43,38 +43,41 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
-
+
+
+
+
+
+
-
+
-
-
-
-
+
+
+
@@ -82,44 +85,41 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
+
-
+
-
+
@@ -127,29 +127,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
@@ -157,39 +142,40 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -171,30 +171,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -207,24 +226,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -241,19 +265,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -261,9 +275,9 @@
-
+
-
+
@@ -271,34 +285,20 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -1993,6 +1993,16 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+yum reinstall -y $packages_to_reinstall
+
- name: 'Set fact: Package manager reinstall command (dnf)'
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -171,30 +171,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -207,24 +226,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -241,19 +265,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -261,9 +275,9 @@
-
+
-
+
@@ -271,34 +285,20 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -1993,6 +1993,16 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+yum reinstall -y $packages_to_reinstall
+
- name: 'Set fact: Package manager reinstall command (dnf)'
/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,1612 +7,1624 @@
2022-12-05T00:00:00
-
- User Initialization Files Must Be Group-Owned By The Primary User
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Configure SSSD to Expire SSH Known Hosts
+
+ Disable the selinuxuser_execheap SELinux Boolean
- ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execheap_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
+
+ Record Successful Permission Changes to Files - removexattr
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1
-
- Configure the root Account for Failed Password Attempts
+
+ Configure Libreswan to use System Crypto Policy
- ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1
+ ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1
-
- Verify Permissions on shadow File
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Record Successful Access Attempts to Files - openat
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Ensure All Files Are Owned by a Group
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-file_permissions_ungroupowned_action:testaction:1
-
- Disable SCTP Support
+
+ Configure low address space to protect from user allocation
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Enable the cron_userdomain_transition SELinux Boolean
+
+ Disable the xserver_object_manager SELinux Boolean
- ocil:ssg-sebool_cron_userdomain_transition_action:testaction:1
+ ocil:ssg-sebool_xserver_object_manager_action:testaction:1
-
- Enable cron Service
+
+ Verify Permissions on cron.daily
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-file_permissions_cron_daily_action:testaction:1
-
- Ensure there are no legacy + NIS entries in /etc/shadow
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Install Virus Scanning Software
+
+ Configure Kerberos to use System Crypto Policy
- ocil:ssg-install_antivirus_action:testaction:1
+ ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Record Attempts to Alter Logon and Logout Events - faillock
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-audit_rules_login_events_faillock_action:testaction:1
-
- Disable kexec system call
+
+ Verify No netrc Files Exist
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Install iptables Package
+
+ Disable the abrt_upload_watch_anon_write SELinux Boolean
- ocil:ssg-package_iptables_installed_action:testaction:1
+ ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1
-
- Set SSH Client Alive Count Max
+
+ Disable the xdm_write_home SELinux Boolean
- ocil:ssg-sshd_set_keepalive_action:testaction:1
+ ocil:ssg-sebool_xdm_write_home_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Disable Kernel Parameter for IPv6 Forwarding
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1
-
- Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+ Disable the uvcvideo module
- ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Set Default firewalld Zone for Incoming Packets
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-set_firewalld_default_zone_action:testaction:1
-
- Disable the deny_ptrace SELinux Boolean
+
+ Install scap-security-guide Package
- ocil:ssg-sebool_deny_ptrace_action:testaction:1
+ ocil:ssg-package_scap-security-guide_installed_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -43,30 +43,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -79,24 +98,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -113,19 +137,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -133,9 +147,9 @@
-
+
-
+
@@ -143,34 +157,20 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
-
+
+
+
-
-
-
-
-
-
+
-
+
@@ -1865,6 +1865,16 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+yum reinstall -y $packages_to_reinstall
+
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -172,7 +172,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -225,26 +225,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -253,30 +272,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -289,29 +313,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -328,19 +358,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -348,9 +368,9 @@
-
+
-
+
@@ -358,40 +378,20 @@
-
-
/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -174,7 +174,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -227,26 +227,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -255,30 +274,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -291,29 +315,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -330,19 +360,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -350,9 +370,9 @@
-
+
-
+
@@ -360,40 +380,20 @@
-
-
/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,26 +51,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
-
+
+
-
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -79,30 +98,35 @@
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -115,29 +139,35 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -154,19 +184,9 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
@@ -174,9 +194,9 @@
-
+
-
+
@@ -184,40 +204,20 @@
-
-
-
-
RPMS.2017/scap-security-guide-ubuntu-0.1.65-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.65-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-ubuntu-0.1.65-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.65-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-ubuntu
--- old-rpm-tags
+++ new-rpm-tags
@@ -201,4 +201,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 4019e083c8179d9d52b4c8cd8561579b5b99ea0e8f6a5bf1fc46e24c756e8623 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html dbe92dd3054e4246a8e55ddb14986b56867db25d61056c73833a5cfa33fd6c37 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 8820678b7f2203760efc2134f8fa302c94ed16b19f34ec45e7dbdb5fa78c5d73 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 19816cf760f15ef1aab49772dd0a0d7376c1bd238c1bce304d354a564e1a715a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html d97a1e7009a0bdebcd53ee2f27cb21e7187889662fcfef7e34ad3adf5369b5f7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html dd99a942c5e070c6f7e3eb0f9160c2cd2f37745ec8a2db3a141755f2e3387dcc 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 1e87fe146c2fe8dc6b5bd7ec59964e25bd74ca5ea3953a805a2df3fa131599b6 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 456361d87b76e2958f9e144f94e11818b147fd4311ba5eb8ec6ff682125729d0 2
@@ -206,6 +206,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 08387835bd8aacd69f971a94c87439584477adf0d2e9bad77cd6baf2e7b0b44b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html a1d974f33af967ca0617b28654a852cf72674ac8182afb97abc0b99f92fe47be 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html c89044dfbec52f08dbf513a5af1009c62f34b8fbe53451e4d505ad27f57fd087 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 670d58860f7e5e7fb9f753fcd3c9ed4a41646e8ae38191ec80c25fc6a084c567 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 7d595858c1ecc646e6913dfeca629572524c835ade602197e8961652b5e9d050 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 8348291e5cc207d615f6d150923f0d4ec26ea7260d6bd977fce7b3c4034a42f8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html df366cdbb2743eef8fbc5fa23255918398e549c5d2bcb0d8d77c6d440523917c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 61cf23c970a061a66601587ea1817df9c567f3b063abb305a3856d62cb0c4115 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 8ef08fbe5bf00a5031d8a85e1c4e03b043f9a9187e58a88ad82efd06adb1321a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html e61d6a6383e7ce93090e12ad2d29f7faec7867fdfabe40b6f4fc497d8a0f22e8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 91f6616a5952529498139f9ba1b32533ba9c08abbf44179d33103b167d84dfb3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 12f0b5aa2d42df1f50f3f665f1cfcbcada66c65a468ebba9875f4bf777c3aa87 2
@@ -213,5 +213,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 2b9299d0eecd5bbf2e7ac43a3fb6687e913257e99bf45b2b81ecc6bca583313f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 3cf966dda90b46ee82a2e6bde1006ba8372590cc47a342fb9b9b66baf700cb32 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 0361e29bee2621625e77dd78dc8d9ea190f9accee39fd157d87f27feaa6791b6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 4f29b858655bba6ff2108735d932bb0cfd4bebd76001a5cb76c086899c1b41c5 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html dd7e58a86a69b881781a14ff2ced9b316cac2a532d2fd81f42c52705eef8b690 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 79a9784847f10bbf53c1fa8cbdad41601c3ebf50da0209df77c5e81dee3c0933 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 8a3763949d252efe6d93f756981e99cfd87b292c1396f4c4466c89051d6d7c4f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 98a488c626163f03a2f2ddd455be99d9846c4b489e6792f9e627d2ede0a24894 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html d3a7a11c9171ae770ba6dcc48dce7da87e39279e683afa45f915ca6b926fbf04 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 758858aef66be18130e6af7146b99908dd9759a60ac035929c5f8fc7beb76532 2
@@ -219,6 +219,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html fc287b19cb5fc723af1cd8dab9b2f4eb325a943e96979d387cf0b0b84d01690e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html cdd005545461b363ed74275a5d524cc7836b643de82d752a7de40f004c692930 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html 019823a73305274e35a821d75b974587ecb0af4c34891e6ba350d22a6cb24feb 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 8fa93122f55592910de14349b999248ae7ee4103a16d7f1dc245ded529c74231 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html e192ba48cd580fc06b6b6af502020c75f70e18d304a8b67d808eed0484e539c2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html b7bd0798a2c417c178b20d0e7f8f40ff06f9113e7cd5295440d88e9ecfeaee79 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 1a832d81ac8a8bf62d1d594f1dd17469489293981c3060971cd0a398b5038838 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html a5c41ebab3dd49d8a54d15f7b20808a211a15e48b5e074146d01a4a789dcf398 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html c58a2dd3a5455d16831219ea9d5516e540b3e7674462cee847125f5389097c08 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 514309cc932d4affa6274e3b40d09b535ed89759810134f28473929ec20d2486 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 6ee3113f57e5b3523e4bd3792f9464467e02d0898f40c5134af5b0863b47aafd 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html 3fe588d5d19c80ca404d60223c58141f8200a9d67f3d9cc60afc54f7bdb521b8 2
@@ -226 +226 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html 5f0a6fb18d525e7dc047fbf2ebf6076f163b788ce551d1ce00801632d68f1849 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html a2d9e83f9e26a0c84d4206b19adcd1ed5edc75bb9aeea3906c7a507c93e7034d 2
@@ -283,3 +283,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 31ac8074e6cebeea2e82395023784ae83794d9f17eac1bef3f555b5e36377418 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 8e42a420298c917c69f854fe18065f9ecf581708bce2756d4a4f79cb0c6181d9 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 674ad3e476b5c27bc6dec28a03eac1bf34afc9435d490198be1e46746f24e0a6 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 0432db2d889765b5718053c44d2c190b762037b76487637c8a0ebfc0f992ab50 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml d55a225fc65124c14d285cfe94565f1a0c6b98dd16c446e8de3d70a7710e7662 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml ed077ddaabe3f7b24ca2ecb551528b243524688e97f06ffbb85ada637b20f812 0
@@ -287 +287 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml b6877038a86adb0a1d0e689194be503a64d76de08bd0953b07c957ac00a90c04 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 200a5ef5c289872d4670fc2cd4604b4aee150fe53bc6dce87aa839bd98e29195 0
@@ -290,3 +290,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml d00b32058186eaf15b0b25d8a919682ea116026a5b7ae116515623400d7f365e 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml f45bbc88162e1f0368e1133ee83c44cb2f90a6518e6069f00875a1c304eef756 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml da59724536f1fcfb66d0ec01d735311053fb931df89c73e7b32bd334488d814f 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 3180b8c366f406c5e68dcebf644683ca29e53faa2ba7ead6e0dba1f4d9e7c966 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 526e4ce98867a52cac6443a72e41566c39c3791d6c5675608ab3d3a3a8591df7 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml e4acea9ab3018e1a7689a3a6208d7d1496b0aa289b49754a2e83c110d61a9330 0
@@ -294 +294 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml dfca60b64aa2ea6ca7cde9303bf48e818d49584e6dfd0036b01d7958eafad125 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 8090476cddc1e3383a58ab9bd28f6be787b03155dff24dda3f2f9550d4b0efee 0
@@ -297,3 +297,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 47027225166409a5e24bbbdada7642e931f5b5771749f5be0a3390c632bc30ce 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2357e2b9a3c3c5e4bfc2e529b77e79dc09fc910b1bef7cacf10b46e75b98bc36 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml fa41520ac31e1b4716e25421a928e6b13d71202a52e1337e35c979c7e1b1d624 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 9c913354fa9e59a29e38f1fa9b99d7e1b2fbede95d1c8adfb3c7378acaabe32a 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 9fa5b78538b213b1f21d334eb6f463204bd4289d90e9f41988096dabdd97cbf5 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 05fab74ebde24e364bb4678b1c46d7bce611d9acad90dd919f06251c3cd3e6e0 0
@@ -301 +301 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml be5184b0c8d755ff01627a4a28e208c4ef3fdd9e0ccdf693088de59fe1f0a5e6 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 7ff3ae88a4ae08462535a5e4b339f467697984b58f8f04afccaa76bd00410aa1 0
@@ -304,3 +304,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 1a11b5f4c5f7598776ccbeab71b604cf0455fbf5e6c7473d8963649b8a1e887d 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml e4f75770c2bada7c3703edbea34845bc899a3b6ad2951ca7ee4751f4c52b6bef 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 648bad8ce06ffc6a5d175f5e8d453a985eeb44e2feafd7a96b4fa95e56f0fa23 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 33924ec35f3ce8ab8ac8ab7001594563b1e4fc9b8f4dd0379a4f16aa1ad69cf7 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 3271b587c7fb61c5954bd994bb844a8cba01068efb76927fa43f239d3a14a2c9 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 68c316a40ffc58827f6a167031085fea661d7ace4a64c150e1a43b32f18bc235 0
@@ -308 +308 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 65d1ee172a7f022441b9daadb2139fff047c59632960814289615ede25e07ddd 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml d1b0962e9597f7946036f2c37bf34c42933c7d67662b0ca590a2395887c09cd7 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 40 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
|
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -507,7 +507,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 22 groups and 46 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,7 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -408,7 +408,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 9 groups and 19 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,7 +243,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow | | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 21 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,7 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -408,7 +408,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 45 rules | | Group
@@ -230,7 +230,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -284,7 +284,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -485,7 +485,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
+ Ensure rsyslog is Installed
+ [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
+system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
+ BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | |
| Rule
- Ensure rsyslog is Installed
- [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 2022-12-05 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 40 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -507,7 +507,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 22 groups and 46 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,7 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -408,7 +408,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 9 groups and 19 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,7 +243,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow | | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,7 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -408,7 +408,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 71 rules | | Group
@@ -1282,7 +1282,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Network Configuration and Firewalls
Group contains 1 group and 2 rules | [ref]
@@ -1402,7 +1402,21 @@
kernel module from being loaded, add the following line to the file /etc/modprobe.d/rds.conf:
install rds /bin/true | | Rationale: | Disabling RDS protects
the system against exploitation of any flaws in its implementation. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled | | Identifiers and References | References:
- 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3 | | |
| Rule
Disable TIPC Support
[ref] | The Transparent Inter-Process Communication (TIPC) protocol
@@ -1447,7 +1447,21 @@
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. | | Rationale: | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled | | Identifiers and References | References:
- 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 | | |
| | Group
File Permissions and Masks
Group contains 7 groups and 41 rules | | To properly set the group owner of /etc/group-, run the command: $ sudo chgrp root /etc/group- | | Rationale: | The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group | | Identifiers and References | References:
- CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns Backup gshadow File
[ref] | To properly set the group owner of /etc/gshadow-, run the command: $ sudo chgrp shadow /etc/gshadow- | | Rationale: | The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow | | Identifiers and References | References:
- CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 45 rules | | Group
@@ -228,7 +228,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -282,7 +282,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -483,7 +483,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
+ Ensure rsyslog is Installed
+ [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
+system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
+ BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | |
| Rule
- Ensure rsyslog is Installed
- [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 2022-12-05 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 82 groups and 191 rules | | Group
@@ -110,7 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,7 +267,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -463,7 +463,28 @@
$ sudo apt remove gdm3 | | Rationale: | Unnecessary service packages must not be installed to decrease the attack surface of the system.
A graphical environment is unnecessary for certain types of systems including a virtualization
hypervisor. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_gdm_removed | | Identifiers and References | References:
- CM-7(a), CM-7(b), CM-6(a), SRG-OS-000480-GPOS-00227, 1.10 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 79 groups and 190 rules | | Group
@@ -110,7 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,7 +267,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -574,7 +574,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,7 +267,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -508,7 +508,28 @@
$ sudo apt remove gdm3 | | Rationale: | Unnecessary service packages must not be installed to decrease the attack surface of the system.
A graphical environment is unnecessary for certain types of systems including a virtualization
hypervisor. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_gdm_removed | | Identifiers and References | References:
- CM-7(a), CM-7(b), CM-6(a), SRG-OS-000480-GPOS-00227, 1.10 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 93 groups and 277 rules | | Group
@@ -110,7 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,7 +267,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -619,7 +619,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| | Rule
+ Ensure rsyslog is Installed
+ [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
+system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
+ BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.1.1 | |
| Rule
- Ensure rsyslog is Installed
- [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 2022-12-05 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- APT service configuration
- Base Services
- Deprecated services
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 75 groups and 191 rules | | Group
@@ -112,7 +112,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -263,7 +263,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -725,7 +725,37 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_authentication | | Identifiers and References | References:
- 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, UBTU-20-010014 | | |
| | Group
Updating Software
Group contains 1 rule | [ref]
@@ -1134,28 +1134,7 @@
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_banner_etc_issue_net | | Identifiers and References | References:
- CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, UBTU-20-010038 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 81 groups and 189 rules | | Group
@@ -110,7 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -266,7 +266,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -457,7 +457,28 @@
$ sudo apt remove gdm3 | | Rationale: | Unnecessary service packages must not be installed to decrease the attack surface of the system.
A graphical environment is unnecessary for certain types of systems including a virtualization
hypervisor. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_gdm_removed | | Identifiers and References | References:
- CM-7(a), CM-7(b), CM-6(a), SRG-OS-000480-GPOS-00227, 1.10 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 78 groups and 188 rules | | Group
@@ -110,7 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -266,7 +266,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -568,7 +568,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -266,7 +266,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -502,7 +502,28 @@
$ sudo apt remove gdm3 | | Rationale: | Unnecessary service packages must not be installed to decrease the attack surface of the system.
A graphical environment is unnecessary for certain types of systems including a virtualization
hypervisor. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_gdm_removed | | Identifiers and References | References:
- CM-7(a), CM-7(b), CM-6(a), SRG-OS-000480-GPOS-00227, 1.10 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.65 - draft
- (as of 2023-01-14)
+ (as of 2039-02-16)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 92 groups and 275 rules | | Group
@@ -110,7 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -266,7 +266,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -613,7 +613,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| | Rule
+ Ensure rsyslog is Installed
+ [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
+system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
+ BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.1.1 | |
| Rule
- Ensure rsyslog is Installed
- [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -96,7 +96,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -139,19 +139,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -164,24 +174,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -189,9 +204,9 @@
-
+
-
+
@@ -204,21 +219,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -2872,20 +2872,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2907,6 +2893,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -2924,20 +2924,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2959,6 +2945,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -98,7 +98,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -141,19 +141,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -166,24 +176,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -191,9 +206,9 @@
-
+
-
+
@@ -206,21 +221,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -2874,20 +2874,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2909,6 +2895,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -2926,20 +2926,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2961,6 +2947,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,34 +7,34 @@
2022-12-05T00:00:00
-
- Verify Permissions on shadow File
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Force kernel panic on uncorrected MCEs
+
+ Configure low address space to protect from user allocation
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Enable cron Service
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Verify No netrc Files Exist
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Disable kexec system call
+
+ Disable the uvcvideo module
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
@@ -43,550 +43,556 @@
ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Use Centralized and Automated Authentication
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Disable x86 vsyscall emulation
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Enable SSH Warning Banner
- ocil:ssg-sudo_custom_logfile_action:testaction:1
+ ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1
-
- Enable Kernel Parameter to Enforce DAC on Hardlinks
+
+ IOMMU configuration directive
- ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1
+ ocil:ssg-grub2_enable_iommu_force_action:testaction:1
-
- Enable poison without sanity check
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
-
- Enable systemd_timesyncd Service
+
+ Allow Only SSH Protocol 2
- ocil:ssg-service_timesyncd_enabled_action:testaction:1
+ ocil:ssg-sshd_allow_only_protocol2_action:testaction:1
-
- Verify Group Who Owns /var/log/syslog File
+
+ Disable mutable hooks
- ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1
+ ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1
-
- Record Attempts to Alter Time Through clock_settime
+
+ Configure auditd mail_acct Action on Low Disk Space
- ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
+ ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Enable Use of Privilege Separation
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-sshd_use_priv_separation_action:testaction:1
-
- Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
+
+ All GIDs referenced in /etc/passwd must be defined in /etc/group
- ocil:ssg-auditd_overflow_action_action:testaction:1
+ ocil:ssg-gid_passwd_group_same_action:testaction:1
-
- Avoid speculative indirect branches in kernel
+
+ Enable auditd Service
- ocil:ssg-kernel_config_retpoline_action:testaction:1
+ ocil:ssg-service_auditd_enabled_action:testaction:1
-
- Verify User Who Owns Backup passwd File
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Verify Permissions on SSH Server Private *_key Key Files
+
+ Verify Permissions on /var/log Directory
- ocil:ssg-file_permissions_sshd_private_key_action:testaction:1
+ ocil:ssg-file_permissions_var_log_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+
+ Ensure /srv Located On Separate Partition
- ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
+ ocil:ssg-partition_for_srv_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - unlink
+
+ Verify Only Root Has UID 0
- ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
+ ocil:ssg-accounts_no_uid_except_zero_action:testaction:1
-
- Set SSH authentication attempt limit
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - reboot
- ocil:ssg-sshd_set_max_auth_tries_action:testaction:1
+ ocil:ssg-audit_privileged_commands_reboot_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -43,19 +43,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -68,24 +78,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -93,9 +108,9 @@
-
+
-
+
@@ -108,21 +123,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -2776,20 +2776,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2811,6 +2797,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -2828,20 +2828,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2863,6 +2849,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -147,31 +147,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -184,24 +188,35 @@
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -209,9 +224,9 @@
-
+
-
+
@@ -224,21 +239,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -3226,20 +3226,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3261,6 +3247,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3278,20 +3278,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3313,6 +3299,20 @@
false
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -147,31 +147,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -184,24 +188,35 @@
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -209,9 +224,9 @@
-
+
-
+
@@ -224,21 +239,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -3226,20 +3226,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3261,6 +3247,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3278,20 +3278,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3313,6 +3299,20 @@
false
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,616 +7,604 @@
2022-12-05T00:00:00
-
- Verify Permissions on shadow File
-
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
-
-
- Force kernel panic on uncorrected MCEs
-
- ocil:ssg-grub2_mce_argument_action:testaction:1
-
-
-
- Enable cron Service
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Add nosuid Option to /tmp
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
-
- Disable kexec system call
+
+ Configure low address space to protect from user allocation
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Set SSH Client Alive Count Max
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-sshd_set_keepalive_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Verify No netrc Files Exist
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Disable the uvcvideo module
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Set SSH Client Alive Count Max
- ocil:ssg-sudo_custom_logfile_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Disable the Automounter
+
+ Use Centralized and Automated Authentication
- ocil:ssg-service_autofs_disabled_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Enable Kernel Parameter to Enforce DAC on Hardlinks
+
+ Disable x86 vsyscall emulation
- ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1
+ ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
- Enable poison without sanity check
+
+ Enable SSH Warning Banner
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1
-
- Enable systemd_timesyncd Service
+
+ IOMMU configuration directive
- ocil:ssg-service_timesyncd_enabled_action:testaction:1
+ ocil:ssg-grub2_enable_iommu_force_action:testaction:1
-
- Verify Group Who Owns /var/log/syslog File
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
- ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
-
- Record Attempts to Alter Time Through clock_settime
+
+ Allow Only SSH Protocol 2
- ocil:ssg-audit_rules_time_clock_settime_action:testaction:1
+ ocil:ssg-sshd_allow_only_protocol2_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - removexattr
+
+ Disable mutable hooks
- ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1
+ ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1
-
- Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
+
+ Configure auditd mail_acct Action on Low Disk Space
- ocil:ssg-auditd_overflow_action_action:testaction:1
+ ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1
-
- Add nosuid Option to /tmp
+
+ Enable Use of Privilege Separation
- ocil:ssg-mount_option_tmp_nosuid_action:testaction:1
+ ocil:ssg-sshd_use_priv_separation_action:testaction:1
-
- Avoid speculative indirect branches in kernel
+
+ All GIDs referenced in /etc/passwd must be defined in /etc/group
- ocil:ssg-kernel_config_retpoline_action:testaction:1
+ ocil:ssg-gid_passwd_group_same_action:testaction:1
-
- Verify User Who Owns Backup passwd File
+
+ Enable auditd Service
- ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1
+ ocil:ssg-service_auditd_enabled_action:testaction:1
-
- Verify Permissions on SSH Server Private *_key Key Files
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-file_permissions_sshd_private_key_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+
+ Verify Permissions on /var/log Directory
- ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1
+ ocil:ssg-file_permissions_var_log_action:testaction:1
-
- Ensure auditd Collects File Deletion Events by User - unlink
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -43,31 +43,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -80,24 +84,35 @@
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -105,9 +120,9 @@
-
+
-
+
@@ -120,21 +135,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
0.1.65
@@ -3122,20 +3122,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3157,6 +3143,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3174,20 +3174,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3209,6 +3195,20 @@
false
fi
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -147,25 +147,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -183,64 +187,60 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
+
-
+
@@ -3080,6 +3080,28 @@
UBTU-20-010450
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
- name: Ensure aide is installed
package:
name: aide
@@ -3097,28 +3119,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3215,6 +3215,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
+ # Remediation is applicable only in certain platforms
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -147,25 +147,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -183,64 +187,60 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
+
-
+
@@ -3080,6 +3080,28 @@
UBTU-20-010450
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
- name: Ensure aide is installed
package:
name: aide
@@ -3097,28 +3119,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3215,6 +3215,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
+ # Remediation is applicable only in certain platforms
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,1295 +7,1276 @@
2022-12-05T00:00:00
-
- User Initialization Files Must Be Group-Owned By The Primary User
-
- ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1
-
-
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
-
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
-
-
- Verify Permissions on shadow File
-
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
-
-
- Force kernel panic on uncorrected MCEs
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Disable SCTP Support
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Enable cron Service
+
+ Configure low address space to protect from user allocation
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Set the GNOME3 Login Warning Banner Text
+
+ Verify Permissions on cron.daily
- ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1
+ ocil:ssg-file_permissions_cron_daily_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable kexec system call
+
+ Verify No netrc Files Exist
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Install iptables Package
+
+ Record Any Attempts to Run chacl
- ocil:ssg-package_iptables_installed_action:testaction:1
+ ocil:ssg-audit_rules_execution_chacl_action:testaction:1
-
- Set SSH Client Alive Count Max
+
+ Disable Kernel Parameter for IPv6 Forwarding
- ocil:ssg-sshd_set_keepalive_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Limit Password Reuse
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Offload audit Logs to External Media
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-auditd_offload_logs_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Disable the uvcvideo module
- ocil:ssg-sudo_custom_logfile_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
-
- Disable the Automounter
+
+ Record Unsuccessful Access Attempts to Files - open_by_handle_at
- ocil:ssg-service_autofs_disabled_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
-
- Enable Kernel Parameter to Enforce DAC on Hardlinks
+
+ Set SSH Client Alive Count Max
- ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Enable poison without sanity check
+
+ Use Centralized and Automated Authentication
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Enable systemd_timesyncd Service
+
+ Disable x86 vsyscall emulation
- ocil:ssg-service_timesyncd_enabled_action:testaction:1
+ ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
- Install Smart Card Packages For Multifactor Authentication
+
+ Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
- ocil:ssg-install_smartcard_packages_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1
-
- Verify Group Who Owns /var/log/syslog File
+
+ Enable SSH Warning Banner
- ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1
+ ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Configure Periodic Execution of AIDE
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -43,25 +43,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -79,64 +83,60 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
+
-
+
@@ -2976,6 +2976,28 @@
UBTU-20-010450
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
- name: Ensure aide is installed
package:
name: aide
@@ -2993,28 +3015,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -3111,6 +3111,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 2022-12-05 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -147,25 +147,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -183,64 +187,60 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
+
-
+
@@ -2679,6 +2679,28 @@
SRG-OS-000445-GPOS-00199
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
- name: Ensure aide is installed
package:
name: aide
@@ -2695,28 +2717,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -2813,6 +2813,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
+ # Remediation is applicable only in certain platforms
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 2022-12-05 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -147,25 +147,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -183,64 +187,60 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
+
-
+
@@ -2679,6 +2679,28 @@
SRG-OS-000445-GPOS-00199
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
- name: Ensure aide is installed
package:
name: aide
@@ -2695,28 +2717,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -2813,6 +2813,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
+ # Remediation is applicable only in certain platforms
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 2022-12-05 00:00:00.000000000 +0000
@@ -7,1295 +7,1276 @@
2022-12-05T00:00:00
-
- User Initialization Files Must Be Group-Owned By The Primary User
-
- ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1
-
-
-
- Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check
-
- ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1
-
-
-
- Verify Permissions on shadow File
-
- ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
-
-
- Force kernel panic on uncorrected MCEs
+
+ Ensure PAM Enforces Password Requirements - Minimum Length
- ocil:ssg-grub2_mce_argument_action:testaction:1
+ ocil:ssg-accounts_password_pam_minlen_action:testaction:1
-
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
+
+ Verify Group Ownership of System Login Banner
- ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_action:testaction:1
-
- Disable SCTP Support
+
+ Record Access Events to Audit Log Directory
- ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
+ ocil:ssg-directory_access_var_log_audit_action:testaction:1
-
- Enable cron Service
+
+ Configure low address space to protect from user allocation
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1
-
- Set the GNOME3 Login Warning Banner Text
+
+ Verify Permissions on cron.daily
- ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1
+ ocil:ssg-file_permissions_cron_daily_action:testaction:1
-
- Ensure that System Accounts Are Locked
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
- ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1
+ ocil:ssg-audit_rules_media_export_action:testaction:1
-
- Disable kexec system call
+
+ Verify No netrc Files Exist
- ocil:ssg-kernel_config_kexec_action:testaction:1
+ ocil:ssg-no_netrc_files_action:testaction:1
-
- Install iptables Package
+
+ Record Any Attempts to Run chacl
- ocil:ssg-package_iptables_installed_action:testaction:1
+ ocil:ssg-audit_rules_execution_chacl_action:testaction:1
-
- Set SSH Client Alive Count Max
+
+ Disable Kernel Parameter for IPv6 Forwarding
- ocil:ssg-sshd_set_keepalive_action:testaction:1
+ ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1
-
- Ensure the Default Umask is Set Correctly in login.defs
+
+ Limit Password Reuse
- ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1
-
- Don't target root user in the sudoers file
+
+ Offload audit Logs to External Media
- ocil:ssg-sudoers_no_root_target_action:testaction:1
+ ocil:ssg-auditd_offload_logs_action:testaction:1
-
- Ensure Sudo Logfile Exists - sudo logfile
+
+ Disable the uvcvideo module
- ocil:ssg-sudo_custom_logfile_action:testaction:1
+ ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Ensure that System Accounts Do Not Run a Shell Upon Login
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1
-
- Disable the Automounter
+
+ Record Unsuccessful Access Attempts to Files - open_by_handle_at
- ocil:ssg-service_autofs_disabled_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
-
- Enable Kernel Parameter to Enforce DAC on Hardlinks
+
+ Set SSH Client Alive Count Max
- ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1
+ ocil:ssg-sshd_set_keepalive_action:testaction:1
-
- Enable poison without sanity check
+
+ Use Centralized and Automated Authentication
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-account_use_centralized_automated_auth_action:testaction:1
-
- Enable systemd_timesyncd Service
+
+ Disable x86 vsyscall emulation
- ocil:ssg-service_timesyncd_enabled_action:testaction:1
+ ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
- Install Smart Card Packages For Multifactor Authentication
+
+ Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
- ocil:ssg-install_smartcard_packages_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1
-
- Verify Group Who Owns /var/log/syslog File
+
+ Enable SSH Warning Banner
- ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1
+ ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Configure Periodic Execution of AIDE
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 2022-12-05 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -43,25 +43,29 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
+
+
+
+
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
@@ -79,64 +83,60 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
+
+
-
+
-
+
@@ -2575,6 +2575,28 @@
SRG-OS-000445-GPOS-00199
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
+ include install_aide
+
+class install_aide {
+ package { 'aide':
+ ensure => 'installed',
+ }
+}
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
- name: Ensure aide is installed
package:
name: aide
@@ -2591,28 +2613,6 @@
- no_reboot_needed
- package_aide_installed
-
-[[packages]]
-name = "aide"
-version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- include install_aide
-
-class install_aide {
- package { 'aide':
- ensure => 'installed',
- }
-}
-
@@ -2709,6 +2709,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
overalldiffered=4 (number of pkgs that are not bit-by-bit identical: 0 is good)
overall=1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|