~/f/scap-security-guide/RPMS.2017 ~/f/scap-security-guide ~/f/scap-security-guide RPMS.2017/scap-security-guide-0.1.60-0.0.noarch.rpm RPMS/scap-security-guide-0.1.60-0.0.noarch.rpm differ: byte 226, line 1 Comparing scap-security-guide-0.1.60-0.0.noarch.rpm to scap-security-guide-0.1.60-0.0.noarch.rpm comparing the rpm tags of scap-security-guide --- old-rpm-tags +++ new-rpm-tags @@ -175,23 +175,23 @@ /usr/share/doc/scap-security-guide/README.md 562c264f1cc27aaa1cc2bc7f8948b7611809f95310a155269c8d9d386cbef988 2 /usr/share/doc/scap-security-guide/guides 0 /usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-index.html 24d819602b71d3456c0dae7da24576397e6a75db3e810a3e0537f2a084e19aa2 2 -/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html b139fc13caddd238c372900cae2913365680e8b8b6f8b55a708c3e49ee43becf 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html ca6f074143483b4dcab543c0d87a37eeee2d43393408c4ffaac30dfc36616647 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 481640853b1c046044609782938ce7799253e59a2d10490bbd886ff238edcaf3 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 6bd63ad9442942dd697223970927b30e4e0681ae65036eff7fd220fd65abdfbc 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html c2cdc647c74f01c89a5c26ad6d61e759fdc41e9552d4c4e186f78245a71a348a 2 +/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html ae47cff21a33ae598655485e40c48477f650166c926e98b0a6d7a235cf6961b8 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 257745dc72e01c8c6e5b574fd829d06a717591970de220ea302e8e6ce41ac4fe 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html ae1834a368f261df8b7177aa995f8de787d23008cb50e7964144d68a0c85c659 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 8cf8e04c456031b2d03e15c4d9b60eb0794fb5d46c3ab18956b1c04c0ce5ce09 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 05e2e049adaafa11ba8a50d25c6352b16de4a57fd6dd68a71fbc15f9e339be6f 2 /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-index.html c5b92cf7357a90a64d2efd073ee7fe443f3099fc0553d0a700eb87fc72680160 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html ecc06ed555e78907f19cfa95f3de55e9c94c2a1bc7c9dad6a592c3b083fceb49 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html b2589fd4270c8fbf809499e5e49ae3d55bdbcc8ade16387d056c0e316b3b307b 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 9c7d0b75c6cc625b0de018c93626cbf3853c001a74d48442985a76aa4eb63b55 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 633d069b4eeaf9f9a7c40b88cc3bfd4bb761faaccdc29494d8455a5a35733c40 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 45eaca4598c381aa8129eda77f66a0a07b3c44b64dbd859d4cc4fc818d7f8520 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 9a6ab57a80d5caec65d84e0b48bea9696826ba34ec40b366ee469b91c4437714 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html eb1183785cae0b871764c1d19a315b633f869873248e5fe4cdc1364cc0763fe4 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 615dcd7e3b1175e2449c29c832fa0fa56c7b79f625aec042a0d00dbe122f3ff8 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html c36d66da9120e82cbf594c7649b67a75d8cd78229b2bf2fc1bfe601116fbba3c 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html b17e7cc4568ffdc7b6efa03295692261986688900394a5776a37686d114b2aaa 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 98bb7f0b8a675def04976f64ef0e08456446f35688ee9acdd0d5e81fc2ba9b8f 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 70a646614490967b56950fa74ed9298b603c263a9f88f95fddce88fd0415c58a 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html b04a8ed72c712f7b4e144783fcda942ef4a4fa5ff7c5c48c9876f9fe4a6ce59b 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html d4343db0e577cfb26f44e67c7b6250fa17fe7e3dcefd3d3e615109239ea073ff 2 /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-index.html 88342f637ca0771f79fc4af081a6343f66ce639f9ac2a9c3061537b9328ce79d 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html e31401d29518fe966a6aa86451a7c9eaa7bd71c0f8d85595f0383d52e8be5b97 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 6ea9c47a39b5a776a53824f63956a31aa815de9de2637224bf5ebd742b473a6e 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 744e09d69df058e8c54b4b4a0c26ae6021027a559567f7994cc6ff0f784d6d0b 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html f57a2d33f9aa0bf4a5ebff3aa735444b5c49c9150f7f56864d2279534026fed1 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html a09dd8821ebd919404305ad416f15dc49fbc51251b23499e08893f8da4f2d6a3 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 72a9ce832aca705c75a0a210377f7bba1ededa98a78455b5b78118d4f2967c2a 2 /usr/share/doc/scap-security-guide/tables 0 /usr/share/doc/scap-security-guide/tables/table-sle12-stig-testinfo.html 2d6f220dd81b1c9e7336b36e2d67f8e71dff158c898d9fc13fdce2ed42d4c5bd 2 /usr/share/doc/scap-security-guide/tables/table-sle12-stig.html 9b7f1d63436763bd089c95bb51d02f225993fd6e4054e12532df8640fb3c09f3 2 @@ -241,25 +241,25 @@ /usr/share/xml/scap/ssg/content 0 /usr/share/xml/scap/ssg/content/ssg-opensuse-cpe-dictionary.xml e74fe69303dc5c832394ad561fca005b8c51dd5e2f1fc6c1226c01adcdc41555 0 /usr/share/xml/scap/ssg/content/ssg-opensuse-cpe-oval.xml 83ca184b4d7108f3eea071d90492d7fa52a69e57ae303d9a383caca621dee248 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2825cabecabe02530f11b91ab5d6a6cba0eca98840098b3eaec15fba003611c2 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml c7b505dfbe2396e8bc24b8533d489718f90244b775e39592a65f57e8c136fa6d 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 4c433fbbdb71a9bdd14cbe5c7f3ea8a76446ed9ca5ba1d2d5c94868b83476bd4 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 6833dee8e023b42f48ce0e24028d6353f8f27caed9cd41e88fe3a5d0d30ef1ee 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 0daa2d228a75c4aeccbb9b310d18b263f1e4f1497bc29d0ee9a0e52b27e5463d 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml c579edfd5774502707e1e06c239d5d2510dbc6650f7670703e5e922a21d35369 0 /usr/share/xml/scap/ssg/content/ssg-opensuse-oval.xml 99c2236258011126a26b06911e9c6c2d2dbe2cf7b3b88884a38406e7bcdc0009 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml aa3de512d123a41e43b443334ad1560bc8cff9d013c589a5bdc862407e50d19b 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 6d026d291a0c6552529e9fca5a66396cde586a411c2793cd561e7f412b8bf693 0 /usr/share/xml/scap/ssg/content/ssg-sle12-cpe-dictionary.xml 87cbf0ec173473eb057058a903543caf888104c4d8b57fc5bcf33a5a0436e5c4 0 /usr/share/xml/scap/ssg/content/ssg-sle12-cpe-oval.xml 69c6cc5b20a165930e8bfc29b81b33e35c9bf04800b99125ecbe7fce2e89c277 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml c4f391a0c4ca369f322c6e1d8ed91e84c8a4569ffaaf0094c7c12a8ccb73c3f0 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml f90e76278461b1e9bfb3ba9d8ffa32d4f0fbb41288d62bba17c94790a887f736 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 88f34828749bc36510d3cf0e41523cca9f59a95fa3d23cc188ed2fe739a376fe 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml ff15359dc83020a2899a26cc89101b3223dbd9798d4b891b2d6c76ead1f9131e 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 95d2533cbfa890760e2957ba06576577091702eb798dfefacb755eeba4f1de5b 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml f16d377a0e9710d43676653194072f673102b65cf936b702eef23ded6c77db4a 0 /usr/share/xml/scap/ssg/content/ssg-sle12-oval.xml 35b9a24ad4cd968895303fb06a0cfe336fc76d340afe87c497365ea3b67c10af 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 865b32bb91d9512491e373f5efa9247e11d26814478d873ee9567051436445c9 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 099ea6e73a1b0165f17394ef10340a076852874f2c8f023b788c3a063bb27d3a 0 /usr/share/xml/scap/ssg/content/ssg-sle15-cpe-dictionary.xml ac6771fb31b41063b1f22199798b68efe280ec48843a41fe8eceac8d4f9cc915 0 /usr/share/xml/scap/ssg/content/ssg-sle15-cpe-oval.xml 82f3be46d1784faaa2991d1a5610105b649d9d999695756bfc3d60b37ab93632 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml b230545c3b559dbae0106293b063f1dffab813191d993ac091898d0fa7abc916 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 60ec759cc3dae50b68bc71677cc63926b96fc266707dcd3e918b6b7398ba52b9 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 00374eb125010bac63bd56d816813e96ccefa6afa5ff904cf505665511fc28d5 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 32cd2f3827f0e31ab40cffda06362aaf5efbffb7e3480a110138775027587703 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 7278e7f239fa444c8ec50123371d128d3832bdd1896ffc331d30d3d308dafe5d 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 813f80f5fc30b5843651704ddf5950c1f8643b2abde0dee4c60b223eae30c7c9 0 /usr/share/xml/scap/ssg/content/ssg-sle15-oval.xml fe7a0b3b2ba31ba8f91972d2c4879c81e9751369fa9c94b3cc6c676e521ad5c4 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 0f801c74e007a9064849ef750f262ac40e3c0892d9f5e6b7199b1f9026f7350e 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 092756348dd4fcb582d44a169fcc2a4b703891475c59f5b33b9b20532fe20925 0 ___QF_CHECKSUM___ comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for openSUSE
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:opensuse:leap:42.1
  • cpe:/o:opensuse:leap:42.2
  • cpe:/o:opensuse:leap:42.3
  • cpe:/o:opensuse:leap:15.0

Revision History

Current version: 0.1.60

Table of Contents

  1. System Settings
    1. File Permissions and Masks

Checklist

Group   Guide to the Secure Configuration of openSUSE   Group contains 4 groups and 3 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 100 groups and 257 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 89 groups and 194 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. DHCP
    3. DNS Server
    4. FTP Server
    5. Web Server
    6. IMAP and POP3 Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 83 groups and 191 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 98 groups and 256 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for SUSE Linux Enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. File Permissions and Masks

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 4 groups and 3 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for SUSE Linux Enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:12
  • cpe:/o:suse:linux_enterprise_desktop:12

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Base Services
    2. FTP Server
    3. Mail Server Software
    4. NFS and RPC
    5. Network Time Protocol
    6. Obsolete Services
    7. SSH Server
    8. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 83 groups and 229 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 109 groups and 279 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 97 groups and 216 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. DHCP
    3. DNS Server
    4. FTP Server
    5. Web Server
    6. IMAP and POP3 Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 91 groups and 213 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 107 groups and 278 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 @@ -73,7 +73,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleHealth Insurance Portability and Accountability Act (HIPAA)
Profile IDxccdf_org.ssgproject.content_profile_hipaa

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. NFS and RPC
    4. Obsolete Services
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 54 groups and 133 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 48 groups and 109 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -68,7 +68,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for SUSE Linux Enterprise 15
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Web Server
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 44 groups and 115 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for SUSE Linux Enterprise 15
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:suse:linux_enterprise_server:15
  • cpe:/o:suse:linux_enterprise_desktop:15

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Base Services
    2. FTP Server
    3. Mail Server Software
    4. NFS and RPC
    5. Network Time Protocol
    6. Obsolete Services
    7. SSH Server
    8. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 83 groups and 235 rules
Group   /usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -12559,154 +12559,154 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Ensure nss-tools is installed - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Disable SSH TCP Forwarding + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Ensure SELinux State is Enforcing + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify User Who Owns Backup gshadow File - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Set Password Maximum Age + + Force frequent session key renegotiation - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for .rhosts Files - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Prevent Login to Accounts With Empty Password - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Verify User Who Owns shadow File + + Ensure rsyslog is Installed - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Remove the OpenSSH Server Package + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure gnutls-utils is installed + + System Audit Logs Must Be Owned By Root - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 - - Don't target root user in the sudoers file + + Disable Kerberos by removing host keytab /usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -12559,154 +12559,154 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Ensure nss-tools is installed - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Disable SSH TCP Forwarding + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Ensure SELinux State is Enforcing + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify User Who Owns Backup gshadow File - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Set Password Maximum Age + + Force frequent session key renegotiation - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for .rhosts Files - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Prevent Login to Accounts With Empty Password - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Verify User Who Owns shadow File + + Ensure rsyslog is Installed - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Remove the OpenSSH Server Package + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure gnutls-utils is installed + + System Audit Logs Must Be Owned By Root - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 - - Don't target root user in the sudoers file + + Disable Kerberos by removing host keytab /usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,154 +7,154 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Ensure nss-tools is installed - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Disable SSH TCP Forwarding + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Ensure SELinux State is Enforcing + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify User Who Owns Backup gshadow File - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Set Password Maximum Age + + Force frequent session key renegotiation - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for .rhosts Files - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Prevent Login to Accounts With Empty Password - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Verify User Who Owns shadow File + + Ensure rsyslog is Installed - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Remove the OpenSSH Server Package + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure gnutls-utils is installed + + System Audit Logs Must Be Owned By Root - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 - - Don't target root user in the sudoers file + + Disable Kerberos by removing host keytab /usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of openSUSE This guide presents a catalog of security-relevant configuration settings for openSUSE. It is a rendering of @@ -53,9 +53,9 @@ - + - + @@ -68,6 +68,11 @@ + + + + + @@ -78,19 +83,9 @@ - - - - - - - - - - - + - + @@ -103,19 +98,24 @@ + + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -24381,802 +24381,802 @@ 2022-02-22T00:00:00 - - Verify Permissions and Ownership of Old Passwords File + + Enable the OpenSSH Service - ocil:ssg-file_etc_security_opasswd_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Modify the System GUI Login Banner + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-banner_etc_gdm_banner_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Check that vlock is installed to allow session locking - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Uninstall talk Package + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Add nosuid Option to /home - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - OS commands and libraries must have the proper permissions to protect from unauthorized access + + Disable Kernel Parameter for IPv6 Forwarding by default - ocil:ssg-run_chkstat_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 - - Install strongswan Package + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-package_strongswan_installed_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Record Attempts to Alter the localtime File + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Verify Permissions on cron.weekly + + Configure GNOME3 DConf User Profile - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - A remote time server for Chrony is configured + + Install the OpenSSH Server Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Enable cron Service + + Remove the X Windows Package Group - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure zypper Removes Previous Package Versions - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Add nosuid Option to /home + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Remove telnet Clients + + Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement - ocil:ssg-package_telnet_removed_action:testaction:1 + ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Add nosuid Option to /tmp - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Remove Host-Based Authentication Files - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-no_host_based_files_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Record Attempts to Alter Logon and Logout Events - faillock /usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -24383,802 +24383,802 @@ 2022-02-22T00:00:00 - - Verify Permissions and Ownership of Old Passwords File + + Enable the OpenSSH Service - ocil:ssg-file_etc_security_opasswd_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Modify the System GUI Login Banner + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-banner_etc_gdm_banner_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Check that vlock is installed to allow session locking - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Uninstall talk Package + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Add nosuid Option to /home - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - OS commands and libraries must have the proper permissions to protect from unauthorized access + + Disable Kernel Parameter for IPv6 Forwarding by default - ocil:ssg-run_chkstat_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 - - Install strongswan Package + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-package_strongswan_installed_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Record Attempts to Alter the localtime File + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Verify Permissions on cron.weekly + + Configure GNOME3 DConf User Profile - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - A remote time server for Chrony is configured + + Install the OpenSSH Server Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Enable cron Service + + Remove the X Windows Package Group - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure zypper Removes Previous Package Versions - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Add nosuid Option to /home + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Remove telnet Clients + + Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement - ocil:ssg-package_telnet_removed_action:testaction:1 + ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Add nosuid Option to /tmp - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Remove Host-Based Authentication Files - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-no_host_based_files_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Record Attempts to Alter Logon and Logout Events - faillock /usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,802 +7,802 @@ 2022-02-22T00:00:00 - - Verify Permissions and Ownership of Old Passwords File + + Enable the OpenSSH Service - ocil:ssg-file_etc_security_opasswd_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Modify the System GUI Login Banner + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-banner_etc_gdm_banner_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Check that vlock is installed to allow session locking - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Uninstall talk Package + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Add nosuid Option to /home - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - OS commands and libraries must have the proper permissions to protect from unauthorized access + + Disable Kernel Parameter for IPv6 Forwarding by default - ocil:ssg-run_chkstat_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 - - Install strongswan Package + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-package_strongswan_installed_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Record Attempts to Alter the localtime File + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Verify Permissions on cron.weekly + + Configure GNOME3 DConf User Profile - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - A remote time server for Chrony is configured + + Install the OpenSSH Server Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Enable cron Service + + Remove the X Windows Package Group - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure zypper Removes Previous Package Versions - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Add nosuid Option to /home + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Remove telnet Clients + + Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement - ocil:ssg-package_telnet_removed_action:testaction:1 + ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Add nosuid Option to /tmp - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Remove Host-Based Authentication Files - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-no_host_based_files_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Record Attempts to Alter Logon and Logout Events - faillock /usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of SUSE Linux Enterprise 12 This guide presents a catalog of security-relevant configuration settings for SUSE Linux Enterprise 12. It is a rendering of @@ -43,14 +43,9 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - - - - - - + - + @@ -58,29 +53,29 @@ - + - + - + - + - + - + - + - + - + - + @@ -88,24 +83,24 @@ - + - + - + - + - + - + - + - + @@ -113,19 +108,24 @@ + + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -28572,2062 +28572,2057 @@ 2022-02-22T00:00:00 - - Verify Permissions and Ownership of Old Passwords File - - ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - - - Configure SSH to use System Crypto Policy + + Enable the OpenSSH Service - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Modify the System GUI Login Banner + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-banner_etc_gdm_banner_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Disable debug-shell SystemD Service + + Check that vlock is installed to allow session locking - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Uninstall talk Package + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Add nosuid Option to /home - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Disable snmpd Service + + Disable Kernel Parameter for IPv6 Forwarding by default - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 - - Install strongswan Package + + Verify permissions of log files - ocil:ssg-package_strongswan_installed_action:testaction:1 + ocil:ssg-permissions_local_var_log_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify File Hashes with RPM - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Verify Permissions on cron.weekly + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Install the OpenSSH Server Package - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Remove the X Windows Package Group - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Add nosuid Option to /home + + Ensure zypper Removes Previous Package Versions - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Require Encryption for Remote Access in GNOME3 - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 - - Verify permissions of log files + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-permissions_local_var_log_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -28574,2062 +28574,2057 @@ 2022-02-22T00:00:00 - - Verify Permissions and Ownership of Old Passwords File - - ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - - - Configure SSH to use System Crypto Policy + + Enable the OpenSSH Service - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Modify the System GUI Login Banner + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-banner_etc_gdm_banner_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Disable debug-shell SystemD Service + + Check that vlock is installed to allow session locking - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Uninstall talk Package + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Add nosuid Option to /home - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Disable snmpd Service + + Disable Kernel Parameter for IPv6 Forwarding by default - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 - - Install strongswan Package + + Verify permissions of log files - ocil:ssg-package_strongswan_installed_action:testaction:1 + ocil:ssg-permissions_local_var_log_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify File Hashes with RPM - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Verify Permissions on cron.weekly + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Install the OpenSSH Server Package - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Remove the X Windows Package Group - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Add nosuid Option to /home + + Ensure zypper Removes Previous Package Versions - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Require Encryption for Remote Access in GNOME3 - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 - - Verify permissions of log files + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-permissions_local_var_log_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,2062 +7,2057 @@ 2022-02-22T00:00:00 - - Verify Permissions and Ownership of Old Passwords File - - ocil:ssg-file_etc_security_opasswd_action:testaction:1 - - - - Configure SSH to use System Crypto Policy + + Enable the OpenSSH Service - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Modify the System GUI Login Banner + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-banner_etc_gdm_banner_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Disable debug-shell SystemD Service + + Check that vlock is installed to allow session locking - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Uninstall talk Package + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Add nosuid Option to /home - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Disable snmpd Service + + Disable Kernel Parameter for IPv6 Forwarding by default - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_default_forwarding_action:testaction:1 - - Install strongswan Package + + Verify permissions of log files - ocil:ssg-package_strongswan_installed_action:testaction:1 + ocil:ssg-permissions_local_var_log_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify File Hashes with RPM - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Verify Permissions on cron.weekly + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Install the OpenSSH Server Package - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Remove the X Windows Package Group - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Add nosuid Option to /home + + Ensure zypper Removes Previous Package Versions - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Require Encryption for Remote Access in GNOME3 - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 - - Verify permissions of log files + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-permissions_local_var_log_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of SUSE Linux Enterprise 15 This guide presents a catalog of security-relevant configuration settings for SUSE Linux Enterprise 15. It is a rendering of @@ -43,34 +43,39 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + - + - + - + - + - + - + - + - + - + - + + + + + + @@ -78,24 +83,24 @@ - + - + - + - + - + - + - + - + @@ -103,14 +108,9 @@ - - - - - - + - + @@ -118,14 +118,14 @@ - + - + - + - + @@ -133,14 +133,14 @@ - + - + - + - + RPMS.2017/scap-security-guide-debian-0.1.60-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.60-0.0.noarch.rpm differ: byte 226, line 1 Comparing scap-security-guide-debian-0.1.60-0.0.noarch.rpm to scap-security-guide-debian-0.1.60-0.0.noarch.rpm comparing the rpm tags of scap-security-guide-debian --- old-rpm-tags +++ new-rpm-tags @@ -161,24 +161,24 @@ ___QF_CHECKSUM___ /usr/share/doc/scap-security-guide 0 /usr/share/doc/scap-security-guide/guides 0 -/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html da4bdfa700556dc2904ee9cae20fd49398a5679ed9aab4fa0cd316a4f8b16afb 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html b8870e377fe99aaa8b20d2b46143add05f6a98f6e0251838007523ea35fc7e43 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 62552ac4c80460cde6248fecb321532ac2528f3dea1ea75d47d5d7c9d93590e1 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html f6ccf76b6b1773d840f3fb5ae04335bf4bf6bfc60334bccc8286c32e407293f9 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html cfc02e92c68f9c4e8e09aa5c2f9bdc919dc77a2c0163caae69d02685d92c9f63 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html b585b39098a8f024d53715f134aceafd5995b8a6fc81de487ed034dec1583c8d 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 24d19a2a95af4d7f297a2a177299e0561095e0dca9729cc436c23f0a1a6fe0b8 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 47c6d493120d9f39fdf742179c1d799730c60eda6778f45aa1eceb9960cc1ce2 2 /usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-index.html 4c70fb844d3eb9dfa68aa23fe7434bdc1afbc721c881fa867a2ebb1b727f868d 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 0d19b28834c2ecf7cf713e05f5f6104e55aab2b670dddfc5162000e24adb6258 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 8f1f4d00b3020508eb0aec03c1154163a50b5c691f86bb312074ba39ca3a1126 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html ac6b4c890527fa3bd1b62c85ee058c3df17d3a9a3c4946bb0904623d3031641f 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 758ea384eebf6b2c35641fa350bad8b8533c70ba2fde394f3011b532f6d810c4 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2ebd9fec4ecf948fdd696597123f917170920c48a51317139e74bcafb57444ff 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html f4b32bba27ec91ea6dabc90f169cced72fcb6f5f3c2296fb4938be1f8d6467f8 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 25397533828383041cd2cd50948c8a4213d7d437f3663b67e9f81ff223fc2421 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html d47f4b3c376da8fe2990ae40a6a57426ae2101922bf3f8863991c69325ad12d9 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 96ae934f52e42120fc6ec140e21fb560367a03356f088bb02bfc6c97864f8075 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 6e45ae059e48c57afa1a0591c9abd6fb68eacb36bf6ac9384e75a393d30233a8 2 /usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-index.html 526b0320e62ca31b4985a3c2e0c0030ce2793c88feeb98a45d5f3ab36965e8ea 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 480b4d76d2617f5f4a130f589ebbaf2681be8a8a32864edda2c94558542dfc96 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 96b5453633c9ab9e748d4bed110257f43d54f3f64cbfeb2668c36217d90003d1 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 66b14c006480c61ff79c7f1cf2125d22a13ce9fc3e3b4aec0fb04a55d5b574ff 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 989aae90ffbb7d054549afe2c291e5dc6a184b990f71add159c069551b2a0a0e 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 1ac467d63238d9d7acb53417a017eb1efc98fe851a319d9b27d2c691883928c2 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 4a206d459fc060aaa8fc871e0f165fa774fa2ac93be2bcb9472a3d10a0121d06 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 732c4cd561cdba7db71f94ce93db1ee15c41d4f700665018d0e47da5509411b0 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html b9a9ac927bc100e78dd1bfa90e73127915893d5a2201c557885467928f97ed87 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html f33d9ea5284936f0e5c9b7b5bfa2f562830e29d5a01f97e6fef5aed3245eba46 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html c0fc76600a36fa53c50cd3f3536e9b1777d7155c4dbce6a68e16d94a314280e2 2 /usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-index.html c7ed843f644f07aa2581c84b2b1bd64acf5640908c83cfef7ba12db77fd172ec 2 -/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html a7cbc4ba7f72d5910570785efaa5faa938801a1ddd3dcb480a0b7405061a5d1f 2 +/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 3109f8b056ee934b4baef2080a08e1955d290a66aa8eed838de575298a324685 2 /usr/share/doc/scap-security-guide/tables 0 /usr/share/licenses/scap-security-guide-debian 0 /usr/share/licenses/scap-security-guide-debian/LICENSE ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298 128 @@ -221,25 +221,25 @@ /usr/share/xml/scap/ssg/content 0 /usr/share/xml/scap/ssg/content/ssg-debian10-cpe-dictionary.xml d27baca83f907e1d7e4a6093e9f78474c2dbd5d043c895f79c0a692e5e8582d2 0 /usr/share/xml/scap/ssg/content/ssg-debian10-cpe-oval.xml e9c0b69349485bea7f4f16613784387c210befe5ecb8434a2417e23a5bf87997 0 -/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 095de58bfb22e81716a7f413b99551b72ba8771db145ce843553d9648acd06b6 0 -/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 0576a4d080b61e41ea6bdd78e1c49433ea70eb24538d62671f590bd0ad5a795a 0 -/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 79f471613bb86040a9f8252fb6f909ff84ab85c802f366d835a4961e8e7548fa 0 +/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml d9a66a2ec48b7e59c008b31da767837bad2223b428684fbcf61894d7f5454488 0 +/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml db07661593a0c8bf862c2829deae83557514ecf11edee7517a2f64f0b8d762c3 0 +/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml f8ca72d93791c63c58155f9ddd7d26b3b1fafe949783a887f4f389bad268fda1 0 /usr/share/xml/scap/ssg/content/ssg-debian10-oval.xml 049a6e32fcad7c91789e4ede1f90776ba47866305495669fa0f2ebdf7e0f2351 0 -/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 5de9d035c64324490814b5b0c4366c583cbeebb8e04b1fd70b5ebd55daba81a4 0 +/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 5d417062e87f5ea22c57a9ef8925ac084ba6bb20f6ced5de9213bbe50c9ba86f 0 /usr/share/xml/scap/ssg/content/ssg-debian11-cpe-dictionary.xml a7bb5d3760c4f041cb7bb9518a32f14642eb9ac2a5dbbd58fa994f3d8cc8f142 0 /usr/share/xml/scap/ssg/content/ssg-debian11-cpe-oval.xml 49c4ef25ee5d257130bb9f41ec7f74eb2fcf856f36e2a74fc771205655e58333 0 -/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml f70376f7b69455297333f8d3fbd37c07ccfb4a79d0893e0075d5587206d34878 0 -/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml f6762e3dcd999455f54956d4cae27657016fa6988111b7d6f2616243d937fd0b 0 -/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 79f471613bb86040a9f8252fb6f909ff84ab85c802f366d835a4961e8e7548fa 0 +/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 7ebac849f407b2d8eb249bb8556cbb531e66d37865c66e8348728910ed884b21 0 +/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml f2b4e110b71b320385efdca0e66f7a31fda39afdca88f09e89cfe71c789abc57 0 +/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml f8ca72d93791c63c58155f9ddd7d26b3b1fafe949783a887f4f389bad268fda1 0 /usr/share/xml/scap/ssg/content/ssg-debian11-oval.xml 127cdb9972403755bdc268242b984c26a4a0fc91c2a30a6fba3edc19e4532467 0 -/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 04b353a93121db0d4d74a561a52f4a358ccc3c15f0b2fabccb0392cbff1944a2 0 +/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 971fbf8a0c7d857245ba32421541ff2bb4d076512bf2dda9896ed640569845da 0 /usr/share/xml/scap/ssg/content/ssg-debian9-cpe-dictionary.xml 2094791bef1ba62d6b2719ba4ceb602d66c6da73357cf9377c78c0af5df0414e 0 /usr/share/xml/scap/ssg/content/ssg-debian9-cpe-oval.xml 6f56634ae0f990b447bd39244e0cedcfe0cdd2be6d726dc7ffec06a874f74e7d 0 -/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 4f2b4d065151356443c1e74241bbdb3cc2da3782c2b2ef2c76c90763c7004713 0 -/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 21debda87b1e66a2f82ef8389141a9066f5d362328a6cc00e0dafbbf031164c8 0 -/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 79f471613bb86040a9f8252fb6f909ff84ab85c802f366d835a4961e8e7548fa 0 +/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 555dbff887ab0530f78d67089bbce7aa785b4675d1438a73acc68ec85387e13a 0 +/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 68f783bdf767a96ed9ed6229889ccca32deaa33a3b63fe99686cc715d6b32072 0 +/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml f8ca72d93791c63c58155f9ddd7d26b3b1fafe949783a887f4f389bad268fda1 0 /usr/share/xml/scap/ssg/content/ssg-debian9-oval.xml f8612f0abe5a40a7f783a896e0a60590d4c2f42a34598fa6ea4cb936416985d3 0 -/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 20f9b47c36c74bc2f01432d77ea54a342ec4b615f33ff195752210878ddacd21 0 +/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 1ec7069a6b64313e9292630ee699050a9bfa665d5a4fe76138e9b2db7a059312 0 ___QF_CHECKSUM___ comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_average

CPE Platforms

  • cpe:/o:debian:debian_linux:10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 10   Group contains 20 groups and 45 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 High (Enforced) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high

CPE Platforms

  • cpe:/o:debian:debian_linux:10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 10   Group contains 23 groups and 50 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Minimal Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

CPE Platforms

  • cpe:/o:debian:debian_linux:10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services

Checklist

Group   Guide to the Secure Configuration of Debian 10   Group contains 11 groups and 24 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Restrictive Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

CPE Platforms

  • cpe:/o:debian:debian_linux:10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 10   Group contains 22 groups and 49 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Debian 10
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:debian:debian_linux:10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 10   Group contains 19 groups and 44 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_average

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 20 groups and 45 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 High (Enforced) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 23 groups and 50 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Minimal Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 11 groups and 24 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Restrictive Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 22 groups and 49 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Debian 11
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:debian:debian_linux:11

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 11   Group contains 19 groups and 44 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_average

CPE Platforms

  • cpe:/o:debianproject:debian:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 9   Group contains 20 groups and 45 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 High (Enforced) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high

CPE Platforms

  • cpe:/o:debianproject:debian:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 9   Group contains 23 groups and 50 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Minimal Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

CPE Platforms

  • cpe:/o:debianproject:debian:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services

Checklist

Group   Guide to the Secure Configuration of Debian 9   Group contains 11 groups and 24 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Restrictive Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

CPE Platforms

  • cpe:/o:debianproject:debian:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 9   Group contains 22 groups and 49 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Debian 9
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:debianproject:debian:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Debian 9   Group contains 19 groups and 44 rules
Group   /usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -13907,178 +13907,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -13907,178 +13907,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,178 +7,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Debian 10 This guide presents a catalog of security-relevant configuration settings for Debian 10. It is a rendering of @@ -53,9 +53,14 @@ - + - + + + + + + @@ -68,6 +73,11 @@ + + + + + @@ -78,24 +88,9 @@ - - - - - - - - - - - - - - - - + - + @@ -108,19 +103,24 @@ + + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -13907,178 +13907,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -13907,178 +13907,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,178 +7,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Debian 11 This guide presents a catalog of security-relevant configuration settings for Debian 11. It is a rendering of @@ -53,9 +53,14 @@ - + - + + + + + + @@ -68,6 +73,11 @@ + + + + + @@ -78,24 +88,9 @@ - - - - - - - - - - - - - - - - + - + @@ -108,19 +103,24 @@ + + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -13907,178 +13907,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -13907,178 +13907,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,178 +7,172 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set hostname as computer node name in audit logs + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Disable snmpd Service + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Logon and Logout Events - faillock - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure nss-tools is installed - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure Default SNMP Password Is Not Used - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-snmpd_not_default_password_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Build and Test AIDE Database - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-aide_build_database_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Verify User Who Owns Backup gshadow File - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Verify User Who Owns shadow File + + Force frequent session key renegotiation - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Remove the OpenSSH Server Package + + Disable SSH Support for .rhosts Files - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Ensure gnutls-utils is installed + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure rsyslog is Installed - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Debian 9 This guide presents a catalog of security-relevant configuration settings for Debian 9. It is a rendering of @@ -53,9 +53,14 @@ - + - + + + + + + @@ -68,6 +73,11 @@ + + + + + @@ -78,24 +88,9 @@ - - - - - - - - - - - - - - - - + - + @@ -108,19 +103,24 @@ + + + + + - + - + - + - + RPMS.2017/scap-security-guide-redhat-0.1.60-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.60-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-redhat-0.1.60-0.0.noarch.rpm to scap-security-guide-redhat-0.1.60-0.0.noarch.rpm comparing the rpm tags of scap-security-guide-redhat --- old-rpm-tags +++ new-rpm-tags @@ -658,167 +658,167 @@ /usr/share/doc/scap-security-guide 0 /usr/share/doc/scap-security-guide/guides 0 /usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-index.html b8098d1ba1aa63d7b64a145bb3026b19f19f5678259c1adcc3322b4428e1fb3f 2 -/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 1fc8ffbbebb1a47588ac158327be2f5d49f2eb868579d3b517c69ca927a3e186 2 -/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html b55e89b1b99ed5336fb4e372100656be8837d6edc6438603c6e46ea8ecf7a9b3 2 +/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 1b4fdf5ddfa087f088aed92093734ec50e8a33122e1f2eb691e580567768990a 2 +/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 8592adb650e5b9472fb29f84ba3aa15feb155132d2f34a968dfb2ceb2c2d88b7 2 /usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-index.html 63006fe83c8d2cf38fab118acc2f3ae85c7b5d6e4e5190c532e5c34de4e7b686 2 -/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html eb6911d1fb8309f85d68c53dc621dc425c19845f2b9aaf50fc6146819eb056e9 2 -/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html cf8576b9818ab67a503997ee49f812a9f3f6d30642597f921e3781c811a19ced 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 1497a5f7f6ea711d62c148593d0c33346d72bc6fdcfc3192d30d37dace46d493 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 556f3f0d3e7bdb7b8e30bc7a9e2d8be9e092fbe2bede991c6ffc97ad7ea40261 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html b096157108fa2d9f474b844c6221336fec5742f0447cacc1021543ca530a4740 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html ef2a12a5a6a9a1bf464d0cd8caecd5f541a73dfaa67289acc83f7d89cab6d791 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 4d5e92f019ecb741be4fc5dcd482afe0d8abee9327a6018d3e06dc2ca628bd66 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 1b712b914a64c11ea29192f72aa5487b6b8955d187a2f0abdd4c491deb5806b6 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 92651a76b020bd645c993074e90141aa07e1d0942e097ed779d3a3f3f3231e3a 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 80521569cb32cd8852e923693bc08b585103c206a321f894007b5343d4b6c5cf 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html f2b42137e4a30d845b5d91fe5cb143a0633787d1c1f506cb6e61287081bcd39e 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 0d964b0b644c9a4e1f0e18b7ffd482530bed51a69f4ac0fc91afccb4b5a65ee9 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 6bbe7fac32ff24e5056b828ef3cb12bca1344dfca16f96be5efe9c8e85c94143 2 +/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 340c5c9103b840aead626e8f225793c3c52ea7bd55508a48eab5748dfbfee445 2 +/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 87cadd76b2ff9ab235381fb788b815cccccb57de4f660262a114031b723ecaff 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html b1610fc1e918e9aeb996ce125cdaddc52021ccea473bd3a7e22bbf98204bdeef 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 087e26b34c1d8c111cab83f7d1538d90dd1e0da90e0111e73e3673cf73134f7b 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 1f9e840fe291d1d53118795a6cb0e4d589bd1ac7b7f5dd6562a5d8f6d5cede4f 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html e36cdc68bc5134385b9bfd9be28cbb2bf407dd9c7df92bef251f0005750b31b9 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 390782ef02c6d8ae523f5ec37e806b238f77acc80ba0e21ce7b167175c71944a 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 84dd5c2756742175c014d72deff9ad4aa853b2e57ac12433c8712ddada0f3070 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 304520533ffc7aeb565f61afa585f682648d3f6a9202498dda4e9d7b05ade981 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html dd7815708bbede87d58792fa371a6670e03cc280b687c863d827ef929c13501c 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html e832c9ff0a717a1008c1cbd23e9047ffd1d11e5fceee5f4007c3caa9dd1da7f2 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 06c779412abd84f1cedf001b78ea74821da92356734407482255dcfdc7c1f67d 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 1e8c09b49a49a15e41459a9189ec4161ccaf9c74674fa05a60c7d1d3fafaeeac 2 /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-index.html d9eec209fd0c83f74f8bb5b2db011302408848b2902116881be02e3bb619f2a8 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 2e3ad42f08a05dd78dd84bd9228e22f985f36daab466900a56b8e303d406b692 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 9a98a62957cffe1f58ea6d0c4a1453ef7efca14ab7978ec78042316d03da0262 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 6dc97118319abcaf11b293cb88962cf14baf15d57bdb662a547a73d602ee1049 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html c2e6ecb472cd1055c2bed7815f2de96e056bce69d24d9466d076480b1d9766df 2 -/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html aed6892814821f1ea833cc0b1d41440578c07c7c2c92f11dbb43448b8a58176e 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 61ece73063746f061a170a5272c1d235f8de545380ad159a9b92b24300282e74 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2593d4a9d99062cd662106d708fbb4ae2fb6f3370429ea5bb96c64020040d993 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 32527cf564db929d12e083f3818a17bdaa9c487604c0bf2935ac9b294e7831ea 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 7f29c74a794b0e269f5b07397984a9eac2b6a39eb4df551c4a71078acccdb207 2 +/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html ff305d6b3e72115d2229a58ab368bdbc53bf4edf07539aae7a3a523b0842943b 2 /usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-index.html 7ee7973f24efadd8a5701116316ef6396681d7ee39ea4c7412dec9e6dbd03ab6 2 -/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html b8df8112cae77a267ae74422fad68b5425e19570694f2d5df3d639a7508cf2b8 2 -/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 7f73431beeed0e6fc3108c48eda2cbc2714691d03ed559f12f513761fcc769da 2 -/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html aa4470c1ecab4c30e1764ace226c8b66b981787a2e976e091e6601ac8dccfb1b 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html e466dc6d00394dd4c007bdf6b9fc87260725937dd9a796a55cc285342af11541 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html ea53873cfb946e4aa94d969aa2f353dbfc7ba9cb7e9a8ec9171e0a39a0e71ac0 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html d9f20bb66e74311912358cc8c9b44ad047fc6e7b577788f2eb29cbfb1cdf0552 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html fed597efb1a8a02e33f75bef1c57cbfa16525d35080ad32edc08c949ffa61df8 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 5b1c7d5b92f4d87344d40999acd62a1e3efe9fbcab5487759a87971a4251a5db 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 6ada2317f4ad5717101a2ad4de7d9fb43f0e4501e794d49929f6f229f127ba19 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 6e05db5646a18cc213d0438984211970dcaca8d3995b853d97cc43096474e84b 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html dc8df2de4dcc6e195e55a7118bd1e396081b627a60c2b4d6ee1d0f0b4b7118d2 2 +/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 72970744ec8bfa88966708c45b2a7f9f5ff5bb5e508d746d7bfb446ea346e95d 2 +/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html ed83e5b5252e93732e986a7595acf1230c346d0a67aa656c0f78230dfbcb916b 2 +/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 00302b0257e11449085730398e6e72446248209e27d1558c015213b0b5b7d1f1 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 0ed6123617b9cd7ecd0e2c20d49999e34cee9c28f6a2ea950bbfb359ddaa52e9 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 9e2e3fc0ce1fe449cb58720bbcd699b825d4c7e87226308d9cc97a0720e90d5e 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 1ad13cb5c2a1fb70c05dc707be587b3a03dbfb73d36619fa8e4ba0dde0399b62 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2e0ef4e789ccced1f2bd908d70134dabf3a90aa1271b2e87074a8de79364d4b8 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html e8c5a358111373a2ec780941c6dc4a4733f4340391d6df8e2a59069b23240ea4 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 5ccd031ad57f15e417ad95226012ef08ce304ca7b0b3ec6bfca451ef3e7294fa 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 525c4bbe75fb0553e14aa46611bd9156b12eb0a601979f7b50c76269fdb290de 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html de12d51fd2a5451d62788c6db2d29fbe5b45466f01065158ed1eb8e534003984 2 /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-index.html 07bcced4e0c4a4e7e712f9c63e43b404143d7c8f83f933514e2000440bd39272 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 3c03ea47a4feb6ebe0a47418b9d0909bdafffa50af328d4cc124600bd56eb6a5 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 4b050d5f129c4b5c776afe435ab2cf6a5070ffeb92b47c5aeb6c75bd393730cd 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 501463252dc049c0bb0a76c3299fd1ecee3770e48876b1200269c2edf6320a00 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html adb49d110d1c2e194370f4433ceb44f375c22ef746ca323ae5ea2dc8ddaaaaed 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html a19760d7ac2147fcc3076586d7c2734870d8e0a48ae9cf46133d499290693f9a 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 3521d5021547e08792995c5c1eca4e493cbe9720fc805f03dde4b3f9de246d8f 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 4f7d44d6c78e556f9460e44fd3e2998bad3d498bd179feddaecd484983d6e162 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 8bd4ca57d007718c8ddcae5d585d5b426c2cc1730a58d32a3820b473085f34c6 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 62f50595b14e21c2a4b17bf491e899bbf9ce03ea0a00aa439fe09230f6226d18 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html d2b97ec5806bb4f1c137f87487cbe9ceaad149eb2da437f96e8901ff2de6fccb 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 000cca3aaf4a87786c0d4a0f1c3335819f2be3050910c752d3cc2c13682fea0f 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 1c3c0e8a015a4850444b24532e0ee001e8564f9a87ba03fc956b8ad6a49e760d 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 4e260cc8be934c11809adbc2ae6ccf6ef97be34bccbc532d23d1f803e3a8ca77 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 219abe4d747b905754f972d8e28c856342279eacff340e6a6f9918e4c75773df 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 530df68abc85e3ead454a88c6f6e23e8216a108b0b69a1f8afefa934697ca097 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html e06d4900d9eae1c238b9fc65faf4a2de978c85fa40808ea0dcdbf2f71bc00e97 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 19e65c2a91cd787ab1ed9b6d11dbe20b36972dea7d072169a13dabfc0720494a 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 1e3b3020c4ef621cc97b575de4156d2a38202767bb51e43fa0566ac03d60ed67 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html e803b65b10df55cc68397c7bc5571fe8e8ffc4c5ac016db87d9d50043bb60e48 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 7a3911c0e03a9927cb4d70e25e5d59418a66de69dce46c9fde96e7a9497b21da 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 8f8c60e686f626c53d25ffd6f3f0ee5d9e942acb793c836afca32eb9a32ec289 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 3e580a176856df491ae87cdd10121d4c8ee976c03ced08f4d388d6835414602e 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 2fbbdb228d138b76bd9c0074dd5d227d885ae74cf4d1d8a461db1e8b97d9aacf 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html dd3df9f888e47a9f0aec91d31d5556001f5856bc3618f40669a00dab5dd6383b 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html d185b0efcd3d5e438b0a3c41e0995b16d12b3625792296f49c739dc499d9f36e 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 9ecf945846bee37c7e7739f142668bbe155a26525b2bf69e0af72e475dc26720 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html bca7c8ba9472cdf860202914f9edc19d8327f24e067c5452eb742126de7ef631 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 4d10793c0647348b2e4dd8a5b51049fcdcbff58eb88e0b1dbcc1a1118c9daf21 2 /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-index.html 67b559d6ecbdf14d036273de2b5788c6cbabe10c56b5570a9cb04e4595a44a86 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 7ef0d251f7c53fd490c9064e1a5a039548818ef6977d04293fa3626c8efd9f88 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 29d6749534b6e62284a58c26ecf8550b96e4e152a774c16862ecc0cfb5e55930 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 377d2e3f587d782e92e7a870309394f8e7a22ad3dcac0d4a79cf9057309cec15 2 -/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html b5056a6c833325f276c3fa216498cd45a4a46eb8b880b47bc74f6b4efe092796 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 54a8a319f9d36f0b75e108e657d7abb1578f958fa2aee6226209cc67f745870f 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html a49b5784ceb582baeda3f7b1aa8716da77875cc6f47e5d3e373abecef6edcc0c 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html b956b25dabd10fe31f4c306679804b662c9560ab542eb5acdd92c45aa45600dc 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html f4871e7f1a53bbca232452a9af6ae14c967a9b24f2f44fefa832905d6eebe75f 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 252e97b843c34c22ad0fd1f2dabb26355d9ac5fb597f48a252762baaaa292a5b 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 916dee528e25b8101565d41d4e94a481e481c0f23772826d9a9046c7b3877c30 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html c90f131184800d5623f987b99ea03b96cc2d383ac0585c5192ed5fa4db02ee35 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html fbf28fcce9f2ace83352f7f2b951ffba512ed96c36b1e038e4b66dfb0c1677ab 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 1a8b64121322080a70802f04500a68122ba043f9885521e1067c252d5bc5ed32 2 +/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 6ad2d48cce07a841dadc527e02cc99673e7b2c4fbc3f7200bda2f22be8e58f20 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 272af84c9b4066bd3de5b7053cbc55b43d051d09c3ccad5a2bc05981d348feb4 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 76dc0f892e19f53ced9e98aaf2eb28ada6dcaddb11c89fccae234d88885e5fdd 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 768919c82a96826ec3f29f3a64099cfb5c6f8b084fa2397305f1cae7c318415a 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 353bb6b138af26149ae4922e2cb634daee7b45855247b2e40686674841a32882 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 998e70ec31878e4fd707f1089a0f535c2ed53fcafa61411bdf004048b686d10e 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html b3509c67c32c5be50a0ba1244e62bd3a910343c7f9895434a8d3501eee870c8e 2 /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-index.html 3d69528a195418fd80001ab14e1ca8b64430c7951f42b605bf3d72dd0d75c8e7 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html b906da6f30b35361b0fe3ad10b025e8ed76929039a1a45c9f02a9fd3f6a3c363 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html e8f6d4736ab231aea740cc5c5454d51a8e9c894efc3fd0479f5b3166c44ab0a8 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html aa5bd9d88e49499e896b8158cb3d634628e18bc8f4117a3cd26bc7895337d2e8 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 67268d716242bb40a9c72818b3e12af8128e41b09d8192bdbd6463ea2b142b6d 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html 4b6d6deab2ec2093b6cb1f8ff8b1f41aad06db929db4defbf40257b876b217a3 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html fe3ac45a5388256cf086be921880cf21bfbabc99360264b665650fc919cbea67 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html bf9ceaddb72496ba285c923ee764d22445e693c5d68e541409fe04f90f005792 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 3862171352576d473146209fc66936ff70032343a0a7d23807ea75dbe02f1d81 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 34d06fce59ae2365c63fbfdb8467c2b944ef99b4b3f22cf811a56a9d4a5791d6 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html d4c0e660ed7fe263565040c9f54a4950f61c9521bd458c60dc09d6e749ba90c1 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html f09efd40ac3d6a7157b7cfa37b34598fce0cf7d139c7a086424255669e8714c7 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html eac963b6bf18b288b08799f31373640f39d82b68648b26c7ac351787be16c350 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 16243c5b939bae40c7a7d34f2b9c92c1f9c566d0c26cdee5b681913dc53346d6 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2cf74357a2b4ca2c35adc87284154ec1c72707cb2c92ed5698a96140fe5ba078 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 9648537c232c2373027633495fbd21bae6031023be9af87a6bce5c95d10628a3 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 164dd32aac301f762d9ed9904bc77f55dc9ce2e7bfa859752e9deb49402d0413 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 97c90f8fec20e20cd199bef24966ac0a89446fac0ada6709e026e1d7a16abea4 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 033959111a7c05ede82bf0503f3dbf480ff9d97108e247d15bb15fd56c823865 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html c03caefc1a9340855c7866d30dfbfa5afa86880bb9acd41d1abe92da6de29f23 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 6a04082448935465669b4cb5c96c63e1fafff5ac4486780088e70632d2abb93b 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html 448a9057bc2e74d672ef0dd32ab2722dbefd6a9a2bbc8228835132945956da1e 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 7a901089048c9e777072cf1223af6ec22d0ad50a10ede7fe6ae0d2d59c0c0d36 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html 3a932ddbd20d3734c572908d9208de737ccc4cbe3d78dbbed81fa44a06fc74ff 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 325fe1eaa23943c627c141b9dd8068155fa20afd19fa9a3b759d49a1a6817b88 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html cda1d26e0b2a13fe9d8aae357e9b77dde6b2bc64c0e966af6c1585c11a9539af 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 8bee735106c22852f4c134389d92354af68c38e0710531d66b99a83cffbd555b 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 7c87efc727969c5caf64bda99f74ee6b2718bf99afeff8cc16dca943b69a1b22 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html cf029f5f18cc2f8e22799e7f4e6cfcb5b3e52ef3039b4c6b17af0a8bffc65700 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 446358284a0746612ec8ab03d0d186de7a11334b99c07a9811158e0b7ac272e2 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 34282f5d554c9749d2e468c63ac3bfaaca40cc88b44ed90bdb78fcb28ac1055f 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html d6e59c9e08ba1548cf9d86ccc7386a7ba76c35f6ed6395fb2d11478a4210576d 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 36a9b9dd02ccb896b9aab9931339c239ff0b9b0fb80a9ab1f8022a26ffa3bafa 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 1815d43d6657b4824dd627d5ff24724ec93766a2beca333de507031567407cad 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 859e2d51f15bef30f86381a2408889998a17a385518775c36e6aed600647d96f 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 4ab6827ed637626e6d1f07ef8a6eb6bcbc36b5879423a4d2bd874c724793eb78 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 37e6674d90c77825a4a780d377ad91029f11c32ba750be5c482261ee171fd032 2 /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-index.html fa09f106dc8d3b1fc5349d8bb3a6fb2b910c1448e8ab1816ccf5f08179434171 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html dd3fe0f17739af118cdc913ca53fb32bba9805d5f0c4df428a10a68e892b904b 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 0f5d8e1c40ce0e134bd47865d8aafa7011291c5f1d60cc245d3dfd1238f307dc 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html b8bece32b0478ee1ad117dba3db976224687beab83637a2716f24f270d389206 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 7dbb025a561b8d11d2bd639c0ba3761e5408d4cde7ec80d020d3ada92be356c1 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 67cb3decffccbd73c9fc32485c24e19e16d6bade1ebb71a59c198cc28bdc53ce 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 0f53b8b533201cceb46baeb8960771db648c5900e8a01d12ef64f83a3f2ed1b8 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 5f0f41d7ea45f69a649477dcd70fe7ca1be5683c8e2cb947c3c11cb5e27d8ef6 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 868f077b2cd3471b44c95d5c6a989066fafb4f7a1dfbcf4b11fa6a4dad441e18 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html de8ed8c2320b1014f32a1f0d26048990d80e3b78ad3f7ce90b5b0fa5291c015d 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html acf0a66f22388a5bc27ef91faf6f2a1f1a450ce413d8447afbad2d256cd1c384 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 0c82f1940241889dd3923e8e815e1ab722478304b16d98e48a778287a54388c6 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 558a90a7749657403b85aa58f3915c0ae4bb820c9932504a3674ac467fdcab2d 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html f3dbdc3899f0488903d5d2780961aed2a0a28a5359f8b56f385059bcd25f7972 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 2d5c544fa7202285ea9416fe2196f36105c4f278a45977025ecc5d2b3f3079b5 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html ba02dfd8212b2a64d68089837b818396dd9997f7f5f1dfcd43228f0cdbe30ebb 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 5367e2409189753091fb30d9c571279a2a5c3a7ff94b0909475d79c2016e30b0 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html d5945efe7d31b86e179d90f69facf5e980c92231140d7dd2134017c59881de45 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 5022909cec7a8d07f421e0490cb078b89cbf6f3b16317fdf3def467b38c8c7b5 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html b818697f139c732fd539f5bb11e90a4b5bd2acdc7497d1a231e3e44f891c1d08 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 5eb27efc0552b92f2f77dcabef1152a0d54b2d48c0010e9e3f3d391f7642863c 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html bbdbacc15d6f5787533557338c0d490e1264b66ec65d3b8b782352686edb001c 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 63bed57f867bb511caa443fdc6d686cbf8e4fab327f2bbd3f33e9af2701dba5c 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 39eb3db2ca833f4a8a168560f4d89b28306646089e6850c8c2ff74432f231f2b 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 43518c790b685eba6a5df619e559365174a062126ab05ebe17350e43b57d4ac2 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 1f94419ce1eeecb277b9e5553f9b2325a71184b1961028578bb0f76bea324250 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html ca1654de6cf6cc123d3bae402cad0d3fd6585787dc0409e058dc85ef276ce41e 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 41b79cf52c10b8e3be122e1f99113220e814df22fff21435718b2f0a585f7a9a 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 37b23e68be65b9b5dae1fd25e8fae5a0470f92c41d7620851aa9486f3a734ca4 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html e2c6b22f5264260316200bf917f22375499386f0c0cbe139ab216d3d02c782b2 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html d4bd0838835f7caa56cf528a013cd9a0e04ca0ac5ad8bd3c43764cd860e37157 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html c8dfc67523ff4c32a70b7b112119340edb88a78f540660077ddee8053a121147 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html bececceae4209d70f5976ff8c875175e827475ab275f71d727ac40a45919bfd8 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 455bcf12a26179aea08b04756ca2be6ef7e915491a003efa44f6af279d4612e8 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 4a432903e37ad09fb2e4a86c8a4ce546167862eed15c1bc0c4a9b3e33675e956 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 1ad0c8573a6b4cec1cf608f410559f200bbcd850cdfcc51c1e5605f8b0dfae5c 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 7edf75c8b010d4abf6df8309afd13525e6c6ff1a573f61ba9a4421344bc44491 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 649e40479bcfa5f0efbb480a5b83a79ac59400bed497f54abe04ba8999005e59 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 9ef7fcf1495b858754b4efaaaabd8dda83239dde42e8cf18e132c1d22fa02124 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 269e727279f3c6adddce62f671ae9087709a5f02335e4d14432ad3a028419f3a 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html f8dbbe5816c5dfa55e39d992546280d14375fe3a153a4bc2133525dceb271294 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 64f4fd42b479a1dfbd8ffc6eae78ef1b654f4deddbff644ce2e0cd579b3e04af 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 13b0dc70ff0ecf2af5754f49677887c0d5e195201faf5f7a5c0ca8bb35b45eb1 2 /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-index.html 0f7362068796586f984657740d7b17ff2939be9e618df3afded29d324feb9da6 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 7423e329d720fb55a2553727691af2d2b23ec97bc2ca7f8fec9956edcf12630d 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html dff00911eb1fa3be12cf80834cb5f4c80983e7ea9176e654553122e71382f3bd 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html c807d0212dcb76f788c7dc14358f3ca4e26d7033a4ab554eac5f2113c1eb3722 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 4a8e554a20d413c096f14f730261cad2da6ec97ebcd8e1527987936369d398dc 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html bcadd3b2f4b3aece107c0e981944770f20737d98e69b4a112488686fc4636e03 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html dcecf5a7763d955ed8ee6a2bd0b0cebd3c0102f0a9ea785e0f83350351e2ffc5 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 1fe81116d8cdc4c0602fa2e5d695990ee789c5379bf62e5408e5713a5d2137d8 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html a8e8a7ed7e8529f129c361d1cd7cc50d00e86fa713983f79ea02abfd104d0138 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 6f2ac7a0fc54eaae0cbe0e611c517c7f0719d0d40ed92d817e33eb3dcfba9d6b 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 00012a995c94092c94d9102d7175ec84d4b674fe57565d1657849c8175613f91 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 44160533e1111ee624138ba2d3c7ccc0cd46d3f0e81f66bf42af4d86839f623e 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2e7bfe5a5fa54a21e3ec3c1ac7924beba7d25715d01569e186388337dc231208 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 3933b63e28f8a7ac19f4dc01ad7f02b4b23b6f916b6310e2811245f94dc2718c 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html c4808d0407785bfc4cc4b1ad0b41ece0003f09ac8cb8eac3f7e1c2ac168b9d79 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html cc532356110ec67330dcb2647f8907f96ec255be21c2d42263b7b2411b438459 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html e63d5bb3d147c8f11a2998513de979fd801fe2dcb6eafb56a2ed2fff350a7d7f 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 119205ee2c9d6b8efe9af65f3d0f18eae43a983da37b14554882191f51e73180 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 995727584755ce258010fcebf0072d73ed4310b821aa0ac472be575123f98ad7 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 785998a12407fb62417f2ec1b7f96d0e163c6a878c2db88a62794c72f4baabb2 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 6209ba4faf647c4bc4a74917616822b490a0e02363949c73891528aeeb15fc87 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html d73eb8cc9adc52a06fc6c3e45211d2351502a6604c07ee70a27abf1d46d7306d 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 6995c4c8442cc50dbe700306ba2fa4e4b3fed95b0464a4d637739ba5457a7242 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2a27a8355efe701ac80c243846027f44708bf9f108b91b9673e224c9a9d98e24 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 21ff9dc6c95b846c534f4ee671ca27b26598dfedc91062238feeba0063e95e9a 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 27d96e23771f0ce40c6f4130534dba0980b6d4dbcffdc0bce0de6466d34ed752 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 3e20a9ef25b82e188cc0d602cfd45d15fbcd1d68c0bdd46e39ed662e397b9e70 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 77dd7fad0f6e02481a7b336dc6cfc1fbc1bd2dd3ca846b31cea65a7f46b5fbdb 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 8fc7a6ffa6a8b3fc9f95c1cd3644aee5d7d377d3e20748f4273bc6c9f79e7f31 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html eb99da54567457aae78281b48a3ba5dae3b55c3d6ba467d1041602b6ebaf690b 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html ce46c40970652ada141549839dcac4260e1a75ec1541c87473a11f125cc2264e 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 141547c5f17f945e681f3c5ad14a238917f5f7833d79bb8c33e48ef0b42d0dbf 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 9ddcfe821dddc0d4804ca4be1886d54c4c389772db82c64fb7db873705ef3a34 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html b2e35bd5139e484996142202c83e9011abe07fdf974dc4ae1e3e83db4dcc876e 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 171c031e3bc6e5b47cf8f201ca06713062c1b7169a418a3531fd495121010cf2 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 8baff1f9a4ccddcd9ac5781a27a442d7f32730defcd0890d2fe6cae154a463c6 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 2b75a15ddfbbb0e75441506e9ec4d685b5a33f5fc6bd051d75cc4eb5f40c8b64 2 /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-index.html 2e7a9b31e4eedfa38c2b9aa86ca8e59bc2d44092a30d44dfa0bbc96bb3ab2f1c 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 595b84d85ecd9859fbee0a19a639ea6df658eae7978d1711b5c2ba0fabaffb74 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 828b9b70c0bc5688ccd3c2228f90d8c94679c92599f3ff73c43889a46ed6c866 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 84a11e53c27705091d326810eedb2e005b97461f52500de2e97577fe5fdba814 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 0a1138356a28e222a943a53beb78dbf5eae6e4aea1d14e3a9a0085d7fb9183b4 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 1acdfdd2ffab9fd84cb0c99bdcccb029eec28b7f8f982886ef43765b9722f4e5 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html 6c1f97108f935da33aaf5c6d31e74c69fc8f513830dace0665eab86d250907e2 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 4a9114078c729d79a8246fc9f56c4d4c63b9272c3ed7def9aa18c0d2b93176ab 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 34e3b6f55c79f1872deea5b13e485c5b0506eb311951a4a7ffaf6d3ea2bf5691 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html a31d21f1c378c3eb79b901957eb92d5b6fe498c19e78449e58d1841130a54722 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 597d14df5374a366e27bfc3f5091ca866a961d0dbadb9842a286fd4d01bd8a54 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 6f49f73ca7f0f27ccab7cae96d3438e1eaf5225ca56dddb5f24fb92ff6a769d2 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html 7544750cfa414dc578c0d1b2dfb2d92b33b9133fe867975f68ad62aa5ad5ef58 2 /usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-index.html 1f1caa597602bc43b68568d19acb6d3166839d80dda2860345a2bd8574783b4f 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html 41e2ad6310fc34c2882d2d09b4669ef05300174a53d5e1a3b22ff514b4c560b9 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html 8c64646896e6fe69633987c4919bf35706b6460d2849aad094add3acbe3a94fa 2 /usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-index.html 0655548a71ebe9584ee7939dadcc6073d35f89e88aaf1881397ede3ec363d0c9 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html abc09bcde1d7eb1e83a97765e7cec0ba0eabb4283f6d09894acc977a97ec2f7e 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html bdfd439d93619d9a648938318e29609c705a9161e241ec4d5cfca2ee130b9409 2 /usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-index.html ae6d63019fd1688420ae4840f6a5ef6e64a26642ff75cf58223291b3662f478d 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 656825af0ef27e07acb446f3dde782506c0f6fe2309870365da3d949e2eb740d 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 14425f86df2b9ed094ac054924310d784a692bee4ea3c903434d8cba153dcd4c 2 -/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html e4f373353d737e1dd22303d52b4d6c89131171c24def3b0b5a8d682372cfdac8 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 3cb54cb85bd0d55f801a6f7051c32efc9a0dc444b67e3fabe6a1a6a41a678774 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html bb7f6a54a6968a8c98e06211af70deb00ab75dbf74e52eb693baac1cfdc6873c 2 +/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 548ee583a6e3114dad0e6feed8932967c3a00ae07682d795caa57ee2913106fe 2 /usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-index.html 6fec47c13f341992bc83b2f134ff7b47b6821926572c75e56ddbca4293fecc9c 2 -/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html d65a786dda46761bab5e9283d9c181977d08a998a78a72976413fbe421341848 2 -/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html a37f3726fe6675029743181df51420c3559baec71e35c315c9b4959890aaed84 2 +/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 7570dfda32e7fee425743ba86b51490af2f0f52e07f737975cd98a30bfeffef9 2 +/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html ac43841a0ef924b5640fac11fa5dc0e319d4cf2058d08c3b34c76824ec8500a8 2 /usr/share/doc/scap-security-guide/tables 0 -/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 06cdcf228814d80ba295153a346e8c14926d3545e1cd600a72048a34f63087ae 2 -/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 4e788ae406c42230d8ad396eb361e5e3c3e993e213e194d73d8ec996a79ed813 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html a4e65b2ceac215d23669659d706661456ca7237774d7a64a1de6742bae8c4fde 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html bb29b56a8d523da6ab8214faa454dad30a38a48bd5f310404e7f3a07e2781e12 2 /usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-standard.html 800276dd30a8e6ec82ab051bb06db4e6c2099315d6133d2222460680fed37730 2 /usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-stig.html 0bf189d1a29b7ed62c3aa4e0406b71dc7ce4f05007a91fec7490fd638629fad4 2 /usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs-stig_gui.html c7ee44c44bf7c6d034470e2e1f2a62ca36a32dcbd1a72f467495550f123243d7 2 -/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 098ec06021b5e3ae9af8e18f0c7d9e0b73b923d4d57c8da0f2f28932ef163d68 2 -/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 34ca78cf3495e201219a0bba6b22d25b25e5dfacd3d7b4387fc6e5b541bf939f 2 -/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html fd378c9495412432777cfbfeb362375a0e5f068ff4bb2a6e8beb236bbdc15f0a 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html c01ae53af9ae8bd48239ae5a715dbb0304eb9082aa557bce4de996ffe0e33c58 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html b79bc9885b9b11d575a81ec364126973b3d5914a05a33fff0952653f7a16d597 2 +/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 483567facf1c1ce9f5d030f711878bc992b3418612a907c6e324a37297c81b2b 2 /usr/share/doc/scap-security-guide/tables/table-ol7-stig-testinfo.html 9f87705207b99274f60b6b8fa82669083c27a532a0ce57fd32d687db095c4600 2 /usr/share/doc/scap-security-guide/tables/table-ol7-stig.html e2e11478bcf827baf6af103642c105780208e3e07ac4feace59d6a48f2ba0b44 2 /usr/share/doc/scap-security-guide/tables/table-ol7-stig_gui-testinfo.html e09354c2159971142bfec0efc0b8456e710a40b2a6ff1af0bc14c7c41c91f58d 2 -/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 5a5a39a1a332c87230bfaf8bb3de76232c4ff64b945cda01529ed3b936b5d828 2 -/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html cabc5d8478406f5c32503261113303a63745a593a35658b5b7d13cda1e1cb193 2 +/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 7b653b15f297888792dff9c8f16d77affbc9cc389160a3dd150072bef01a8712 2 +/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 9a90b2003b9d7c85e84792e01fa88d3a10b1bae384ea8e2771e211494220b4db 2 /usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-ospp.html 72d6eb136a7365ace8a9eb3d69b3ca645ff42ee9f639438aac2d818db83755cf 2 /usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-standard.html 26c647bb367bffe080e7366b4ae1eadf7e2ace82c208c0052542aaf9b56718dd 2 /usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs-stig.html 9e0fe77d67ba50694eaf9e642c97a6bdce00953c3a1a79f8843176b95464d4ed 2 -/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 1956e23d18669bf7a1e17593fe9a0e8419462323bd164353301d71c87359ab99 2 -/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 5c54d56ff355713baea4e56c451d6b3fbaae3109cad497cd7e8245e39e7079a6 2 +/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html c13abb05c3fa7fa9130a4ccd6458ae7018cac172f7d2a89c31e3b437f20f4efc 2 +/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html eb2979e05802c5fffad081ca33aa82d079294c97228b0d64395ba91bfa6d15e1 2 /usr/share/doc/scap-security-guide/tables/table-ol8-stig-testinfo.html 07c6f0657c23ccae6d03e3a1b8a3d3384181ab162c160f46f55f3352e4b8f9f3 2 /usr/share/doc/scap-security-guide/tables/table-ol8-stig.html 7c224fe6ff310db156dfc66bdc6fa9a009fc408ad69349078ac0c5c2fbb4b0ef 2 /usr/share/doc/scap-security-guide/tables/table-rhcos4-cces.html e66f4fae5df030969cd6e40894e1f0efdd8cfa214f5f2ff60ca6ce5b95b032d8 2 -/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 6df88054d6822a2e4836c9f956ef480772dbc1b05b156fad9e71975dbd3e2f7c 2 +/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 1af1a57f94a7b91eea882468abe8b0c54e1112d9d8da665e5ccb5505bcfd6e13 2 /usr/share/doc/scap-security-guide/tables/table-rhcos4-ospp.html e2866ee446d2ffae38bd37f332c55cf748f02d755f464fe2c00354b4a79d79e9 2 /usr/share/doc/scap-security-guide/tables/table-rhcos4-srgmap-flat.html b548ba92262dfe58d45d3ea596da750c18a593736ec820026d42bf88a82b152c 2 /usr/share/doc/scap-security-guide/tables/table-rhcos4-srgmap.html 45cd86f340e869d4489f9208e2ac007c0190413a490947989ebe530c58d3d942 2 @@ -827,17 +827,17 @@ /usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_high.html 2d821fe8d597f3d3813d0216b7ea10bda63beb36332c7c7a41240ddc7deb0c83 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_intermediary.html ffe3d1d08f3e25f585f03cd6b68a277b125484692033a1afa733b8dbc034c9aa 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs-nt28_minimal.html 6781823a43841d9efda111ae2670962750618e01aefc41fd2486002e8834ed9a 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 57759b872af945d8a2e6a259f94a382cec3033ce9a49566fd7a313abe3985284 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 5bd2c7e2753f689d64d1296f45193ca47152865733a10b289af56cce102fe0e5 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-cces.html be03501db9e37e168a6d46fb215fe088a9fa9db94e9e716d6538c9d453570000 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 82ed6f4272f9c664223406d926a21404c4f9ee1d06ed1486a3a4b5394d3e27ae 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html b03ac2d62d75f5303dd77bd3f28af060400caf29393632696c8edbcfeea98341 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html cb08ef793818060c68c511d630f4f9ee3d017f1b2ef15c4bcde5f3a3f8057418 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 97d87fc171adbece400ffb34ea8fadd933dbe1baffbbff8b1171e91a440b71db 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-C2S.html 250debe0c819b0859192e10d22ee3b31354a09e868c82094361824fd9130f5d3 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-ospp.html 9c228574bad22c6877b7bbee5cd9a70a2a3b948d82976fd43b593acc5c52a9d4 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-standard.html d023c4584b7503035ad7abef655c8752b44cd60e41e5ae8665101264bccef4d1 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs-stig.html 214b45dbfdebf7f88283426313ec6eb0a3cac348397afbc44af7164dc7018b37 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 76458a6e5e06a282b4d3f662dc1a9b2bf894e9a73ba09821933db607f7190622 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2749aee4e19f0cad2c403b148e01f48e8d7976bed8ba7adc856ddb54548b03c6 2 -/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 780ecff892d558b7eea6cd9933e7bb8be32e5b87b7ab3acdaf186505de9f9730 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 7b6ef471cc2b70cda7ba0fbcb5e984c83f5637b870ba14aaac8d8458d0773474 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html dfdb4c91e108252593f74cef75cd4e57cc1a8a82fca07b1ec481c8ac9cb821a4 2 +/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html ff60386a8d63042136f8f1d56fffc74e6b929b6510ef08e2e155a4482ff00df8 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-srgmap-flat.html d40454a2eb031bc044ea6c308d2a9d83f79efb5e7b89cd2a90bf615518cc1949 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-srgmap.html 99f79fa277cb6ba18f549c41897d89c852f103efcb37d2c8665924019784ec8f 2 /usr/share/doc/scap-security-guide/tables/table-rhel7-stig-testinfo.html 588bd8a6d38fc9de5679e8cba47287bb8f02bc0e5f99729bc11d7cdb405bd11c 2 @@ -847,15 +847,15 @@ /usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_high.html dc4c26cc196d03436bcebec5c5ba11493ee19215b65806e4acc4d2edc89261aa 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_intermediary.html 92c97760df52652752b9f0c7860c09848c479c737eb2f06df9dd67dcb92fa910 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs-bp28_minimal.html 77fd3ca1747ec1abf5603c7b75ed6ee5cc6d58280c703776377c63b4a9ddcb3e 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 3b9c5a2d5a51c2fe3815abd8cd78a43314906418289a1b9d2ab5599d9eea096f 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html db94d7601cd905181f93a120b84ef9fe69914d36e0c8f35c0b0bb4bd613ca4e5 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-cces.html 4f09798d02e8c6e57a0ac565bb5e22fca19c5766e7e92b49db82352132601c2a 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html f502796792bb29627c2df543bdfa1d024808e2ccd83d71934d7f06665c27c373 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 4cdb7e0c48a07cd15762cc4b261499abe5f2419dc690e9b91a85879774252ae7 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 45593c6395a8e2723d25644ab33719a8d4ecd6e61879e70e9bf4dd2ae524dbe8 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 651705f3b68ccd2b697a07a4ca04468dd0324adb30d78153153d6f3da1340084 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-ospp.html 686e426e850a59472bf64466c84236236be81329bd2d15a4782316fa4b9019dd 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-standard.html 9f92017a4487586244adf82d9a81d116d5cdf9b957cb241ece0df265367288c2 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs-stig.html 43ec4fe8c91c7f95c400a98a13a008d9cf2081bd8b2d75cf3e6c95fcc304d07b 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html d892e27f975aa039f1315e21f9d4d2dac2cfec3b8247b13f92faaa4676d20189 2 -/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 7eb849e5e5b9ef070dc243add783e7faa28de7f2cf77670c2725f7edda12f8b1 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html fe823915650697a28d7fca0d39bbf101b88ec2b31a81a7ae866e609ccac4de67 2 +/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html d382f03fb8bfa35375bd4e8ea0d1f98f65849035ab7ebd9760a4588d7d522ac6 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-srgmap-flat.html 4fe164465808ca8ef5c26e944aa646cfb1714f013ee6abc6dd91ef856d43d00c 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-srgmap.html b1c4f43670c05e2c4012481e6d9878b1621a1df33123816786f4d9fa46633ea1 2 /usr/share/doc/scap-security-guide/tables/table-rhel8-stig-testinfo.html 56e1b77b0c5b7a1905ec607eb6da430afece818ba21c09bfbd59529aa53d4924 2 @@ -1145,93 +1145,93 @@ /usr/share/scap-security-guide/kickstart/ssg-rhel9-stig-ks.cfg 00ae1e816692e64c52346ccd758c4a766550c51f13e8b932f787d9b004f8162d 0 /usr/share/scap-security-guide/kickstart/ssg-rhel9-stig_gui-ks.cfg 55df2a89664132dfc450573d11b00e2391ee9373e7096512f3118f4070154113 0 /usr/share/scap-security-guide/tailoring 0 -/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml c7380c3924950b60d8bd0ec43dd5839448b3b0edfb47b6e3a53ab1868f91c605 0 -/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml dfb56e28373b4506f6e87c19cdc246754421c7e2fe1d2d5273619a7f857f3b70 0 +/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 88235253ca9bdd479e2cd3b222e3c7331cd2c9ddb44bca92ac0ddc5b0273f6cc 0 +/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml a5a512c087a525f05e3e47b1675ecf46c813e762da06ae5b4baeb072012ff452 0 /usr/share/xml/scap 0 /usr/share/xml/scap/ssg 0 /usr/share/xml/scap/ssg/content 0 -/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml c7bc0a5b0eaefa605bd12ccb3eb708e9c3b14c6896c21e55f495032c3ca16175 0 -/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 05d843607856796f3ea3474159131dd511b2f03f3d7e4d178d03ec8bff290842 0 -/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 66b927e30aeb909c49ca259661a95e264ffed8af1386478c4a803038af6ab5c1 0 -/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 64598467b43d5dc1bc1da28d174ff1bbd08c27547c4410ccfdd6cde7ce919894 0 -/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 8f971eacbb0db66d68104d3ce4ac739688d122b21cf9aae993f1514bab5a52e9 0 -/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 73bb520bf489bc5ca408d324adb6bdb8ed1b0958ae2909e5e0c10fd14812cfad 0 -/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml f4c2fdcc6806d2497c7478b530a6ce49caad200e962904f959b510d81eb60cb9 0 -/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 0a1b8a53ca39635bb21a1f9b8af91d324ab65a0e037aa3e8017335c470b2ee58 0 -/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 1eb2574676888fdd2ba65bd1f36cb8ac1cbf7ea239182357c2746944e26af938 0 +/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml c04aad93fdbd5a855403650878d8b826d11dbca54ce772f5dbfc8ba7b151a590 0 +/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 9724769e5c83ba0a1dd63a1b8e37d07bae21959d17026122df9f63186ffaa5a1 0 +/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml d6140db9ca47e898a24011388f70e1dde6afda0d7816c5d6a719f7a370f828a0 0 +/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml c5f569ef8da42b1f57d854a17a40151d7739f210936fa1c16afdb6b17bc898aa 0 +/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml d04bc006b0abe29553cea8bea36782f2a27b892dbae682f5f443cd83e1a4c7e6 0 +/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 9ed138861a433d14104ac48038307040c365f8dd80edce582c2ea655138e0eae 0 +/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 32a0ef83890bb046328889d2ed7aa76bec869c5a6904540a7539e74ae8960260 0 +/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 183b1c238c5fc07d3b743219a77adf3d176f5c261ff7a372c1a557f2634b016c 0 +/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 79162604a82f02fbb5bf3622e23c485c94ff9a9b33f3e57d4bd439c71e50ad70 0 /usr/share/xml/scap/ssg/content/ssg-fedora-cpe-dictionary.xml c8d5f0a2f8acf0028f9b74e68518b0738539bec86eda83407164f2ce3223dd58 0 /usr/share/xml/scap/ssg/content/ssg-fedora-cpe-oval.xml a55cc74e5430dedba5aebb2fbcccac38628329887d3438a0f480313349fce9a5 0 -/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 318ca6c6b03394bbc7e65aa639bc8a0d38dc4afbeb3f35c742a242b0808408dc 0 -/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 46e2f8e8d2141ef5f13dfcbb0b587069e823b1d7b5ed5313a28386a62f7c02a6 0 -/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml b66b3e2624a5ead5bfcf56a3b827f0278ddd42ebf511622375ea6166b11a0abb 0 +/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 230b312a6f7cf14c822d448e83d638746c0cc61b79501b1448a810e588855d73 0 +/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 1e9565d3767c75b04935da52b017d24feb62ce1287a75083b17add7c9e9edf87 0 +/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 8390220b2439aad32ede534b924bf64e57f1d6f2f634075d847e460c5517747c 0 /usr/share/xml/scap/ssg/content/ssg-fedora-oval.xml 9756e05259ba22fbe39c6308da5b196ed61d72d958615b4f7498d663704eb098 0 -/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 4f65f9dc27252a0aeb451886e1fcffe79b5e61a4793f1c222d6070a001e21a80 0 +/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml db47fb44c78090e9d35cae5d5819a55019d16c9d402c28fe4b3a0187a06b49dd 0 /usr/share/xml/scap/ssg/content/ssg-ol7-cpe-dictionary.xml 5e7eed9a1a733623dbdc77f310ea4c5fb8b162b49368434bdfd956ba4a734fca 0 /usr/share/xml/scap/ssg/content/ssg-ol7-cpe-oval.xml 110031ae4468339493278d91398819999dce35f3d323d127602ada8c7eeddf39 0 -/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml c5f754be3ef2a050387ca17714f721c3fe9bc59877ade7c7c0ec7144d3c0c190 0 -/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 48741983cebbc454062c31c87ca883d0cf9e09d046aea55ed68f3caf1cf22f96 0 -/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml eaa1ba7e5c83b9be5e38d7c803d13c2e0a0b1dd4ec9b073ab830f7157d7ab56e 0 +/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2bc67366a788ca2b31fbf60949466830837c53d2a02e4fee428fb0cb5b2ee63c 0 +/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 016fbcdfa39d0719dca4cbf37a5e577b58ccb05e4c111bad74a2dfd60e93b2a8 0 +/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml b48e78ead0b4f98bbaf90c7eb3291e83c9de62ec92b83b84a96aee1aff4d4fcf 0 /usr/share/xml/scap/ssg/content/ssg-ol7-oval.xml c70d7c25f934f263c0ac3700c469dec1eeb06099afe66f8ac0f72e6bb7e51def 0 -/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml f932a5f4a5c9be223bf84ef074e866444e3c1752ca44edd37bffa068ac6abe44 0 +/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 8c0da81664269a650bb61e2b3b4463308cf1065c6e1d183155cd251ec4b22fae 0 /usr/share/xml/scap/ssg/content/ssg-ol8-cpe-dictionary.xml 3124a453d0961ef1f92742b355968daa1bc3b7f18b9af07e9d548e0a82d60957 0 /usr/share/xml/scap/ssg/content/ssg-ol8-cpe-oval.xml 9272cba0ed87a6522b40ee8bdd72e97d14b0903f93a8057f4054df4afa5e2373 0 -/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml ae4847ecfd556aa603d48bc8680c27a6f6af76de058fd89a05ec2a9dfb945971 0 -/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml e912b6fb10630a03d1503c15fc55d2c6f26c34e12259f3a890139746208ad4b3 0 -/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 9448fc54d344f825556193ec9cafcace41370b8097bb9a5e0413c28413fa31b7 0 +/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml e048eafe9b51cd9aa1de26ca35cb26247cdb806ada90d7792c0dbd0d715ef9f2 0 +/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml e4002425a0df69e399ac0c1d6c9c981320f16e0ea9a0b780a45b47d0e9542aca 0 +/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml dbcfec30277dbfbfbca1af89a9b6c69b6aff010a6bc37a43680ef139968561f7 0 /usr/share/xml/scap/ssg/content/ssg-ol8-oval.xml a6fbc46fb0e959e298caa76786fe64b877ac65b8b28eb25b9906f2358b0334f3 0 -/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml a08f2435326d5d78189fb50ffb4fddb4477d5295cc9ebf869a34c72cdfd25459 0 +/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 766f5e73877ab8f4b04eacfffd10da92c05a83fdb9fa9bb5b1f976be46bd6f8f 0 /usr/share/xml/scap/ssg/content/ssg-rhcos4-cpe-dictionary.xml ce0e47b1662da5a097f0d1345ba2b60d417e3da6d9d280d2e2e96a612e6b8bef 0 /usr/share/xml/scap/ssg/content/ssg-rhcos4-cpe-oval.xml c08d1ec93793b1b903ff99c84a1c181a57b7cc734cf0063141f1d040276308c6 0 -/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 6c9adf0645ffd577a8b3a4e9b1d3a5e65206addc251fc5242eef42fc0caaee91 0 -/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml f8a7045c4def24ea185fa1d96bc306db07068d1920d49c1b06caf0a048b6678e 0 -/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml aec8c15b0e759a29cd135a12ddeb47d19c28a5c442d647b2c6bfd52b7c5d19ed 0 +/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 557990ddd80bf211c769e62bcbee63f7b050bf981382ef65174d895ef76419cb 0 +/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml b5d5516d0235f28577a84f0a2dd8f159dcd5ff8355052553a9f768f10aca6bed 0 +/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml f701f0f927355b0b96606816a3648783a907757076f7af84d45445f46ac380d1 0 /usr/share/xml/scap/ssg/content/ssg-rhcos4-oval.xml 6c67dc54351787b7e6da00f853da6f1f628a205fd9a602a81201a3c63ba2e4b4 0 -/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 0c87c9673c22adf18c093783d5d84a2c2856cb553944402c0aaf51d380af003a 0 +/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml fdf407a95b74f448fb41290607afe1d2a4edc5d659410be8656e1b15d5debd6a 0 /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml 3de9bda65d07d283299b6d7d262333656a554c07a7ac4a20cbf07c07a864f1ac 0 /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml b8bc15716584c443bd59ccd32dac7c654332c61d757245f22fa18f9440408348 0 -/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml a556720f70b18a3f5aabea0e9500fb634bbf07bcde7d8052550ef056308b5185 0 -/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2fb31cf625ab2ce15244758ff68e0d523d806bf33f6c28587c41193d948147e5 0 -/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 60493bd78e867b3972c45cabd40446a100c55cd60571f9489ee15d5b9dc70d32 0 +/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml dfcb71092ef1ad64283630b1d110f3d09340fc6089a3972eae5f1bcdc6c5d2f4 0 +/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 9e3aef235fd6b40818a23027adb29a2cebc50bd104c819786be45ca34348327b 0 +/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 4f39cd20faa7284c6865df5ee2fd98b63fe1d7953c016108889920f3774d0bf8 0 /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml 3ab21e6e631fa0769ec0a750701e6aff521349841d877d99fc96dc8b69a735bd 0 -/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 044896edcde1cf5d583783971a51ba822e30432262d82c0feb37d75e35a62d7a 0 +/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 5b10129862ee597b66386a6b46800350390b1e0647b0cb08c3b5a10d1d87c4f6 0 /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-dictionary.xml 3040dd62c0cada63b4ff1349a08a764dfa0925abb5c94257933aae4e54f0772c 0 /usr/share/xml/scap/ssg/content/ssg-rhel8-cpe-oval.xml 674b9770bcc4e2047c6f2fd016f1f75f67264f888a3ae94dc2ff9d5a85a91f8f 0 -/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2e6d733719e910953a74a2e626068dd35bf495fa263e4b9d04962682ff377f3b 0 -/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml c6e4feb8e9c71d0c950a062aab4916dcec48b3fecbb86dd67c8d65bfc2442b2a 0 -/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 20d7e3051121449e3aa8d8b248dbe1003987df66fa7fc20bda07fbb419c4eaf9 0 +/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 72b333ac27b111b067ceb035bea54a426d60aaaeaafeaa7466e6d9c726b993ae 0 +/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 998023a037f13d22bc0a0e7f47e15f25aa725544c7ff066286a75c8921ebb825 0 +/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml e6c3c6779b411dfcf993b840c191a24995a72e8b826f0cb48f9f6cc888e93ba2 0 /usr/share/xml/scap/ssg/content/ssg-rhel8-oval.xml 6a7d3e38420fbfd123f9082516845f2f29680506b99ab9cb0bb59666c63f0c06 0 -/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml c746b4eac0bef21cb8f2b0c3d37b0db62fab990344798611b50d8f29f011039c 0 +/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml ad5d5ade4542b6f383f37fc314088962d7a3849b9da48073c80ce17be12ce4e4 0 /usr/share/xml/scap/ssg/content/ssg-rhel9-cpe-dictionary.xml ccae6d9c84ab921c4944bc5aa1251caced39d210b048c7e73ccaf44241c67c10 0 /usr/share/xml/scap/ssg/content/ssg-rhel9-cpe-oval.xml d8648a52af92e2a5988455a32f69b0ffa40445ef843540967cb756f93462418e 0 -/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 1e2f821322c75d9f8e126cffddfc2978847cf89d81c1c3aa3d74c0acd219290f 0 -/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml bfc8662ccfdf9ce05163a5d8778b2ca7feef9741ef6445e31ebb6831c943368f 0 -/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml f767189d60fd9d54f9a842fdfacec97727e80263376661de96174e052d03ea22 0 +/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 85eca241ad94013da436e2528a6db21717e1a4f004b2d01d9b2b14825c596c23 0 +/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 4134e6648276ef4f3cd0277577b80e701d18ceaf0a3745af8d18d7b18100be41 0 +/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 655f0fce0f1ae8fdf1c08ac1689c09d8d6431ba5cb90d3f3ecc3c67d57ebde70 0 /usr/share/xml/scap/ssg/content/ssg-rhel9-oval.xml b20f0d226440a686364717ce8a12a619dc1459c5e0e3af45dc52af83d8addafa 0 -/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml bee6b6dca914b9dff5e3565c3f49ba813291caa7b37ba77d07d82262449645da 0 +/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 31539d4e9365b416b12e3a2542e4c84731ca44abac13861fa9a81559e6731936 0 /usr/share/xml/scap/ssg/content/ssg-rhosp10-cpe-dictionary.xml 8e187a0c323447d1b4e11acd6a69cb5cc60348abe026bf6330a20388c251d723 0 /usr/share/xml/scap/ssg/content/ssg-rhosp10-cpe-oval.xml 700e38b9f4e7696cc2729956b000063f2a1f0c9ebea123d483d65e72287d8c7d 0 -/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml 31dd58f9242266ffe3d4599815ef2a27011040285a4cc84f530e770a2fd5086f 0 -/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml 21c261d5bde4d586c3480492c02bde3c68a891448b240692444fea1bf6cfcbdb 0 -/usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml 02ff761f112b72e9ac3d8e6d3d0dae83e884573ece5f48c592378b75587db368 0 +/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml 984b3cb9355edbb520008b2b1607c6085b377b2082221eb38340f33cb4558568 0 +/usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml 81dbf625f175534a5fdd5a51d2c8b2aa24688e74c16c0fb1a724ff0515098615 0 +/usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml 46fe17445ab3b5a18865c503cb61b8a02a41e701f52290600f98cedb54b82460 0 /usr/share/xml/scap/ssg/content/ssg-rhosp10-oval.xml d6efc77f0cc37e70b2dfd1d8d64fc12a89f22371250fce3918120156dcfee8c7 0 -/usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml fd84ce6eca15735de91ae89caf7725e59ac0ad43220cabd7f1c1223c35e48eb6 0 +/usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml 8848bafd1cddb2fcb46903eed17b7961105bc0c159111a64fdc0d506dc13abb1 0 /usr/share/xml/scap/ssg/content/ssg-rhosp13-cpe-dictionary.xml 1915595d83e83ee6737b1b84be0cde945d0f6d96d4d9aa8ffcc6d27a1daa55c7 0 /usr/share/xml/scap/ssg/content/ssg-rhosp13-cpe-oval.xml 15098a7075538c37e96c4dc838d38fe72fc27bf193b1633c3eb935b790123477 0 -/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml 19e44b7ef70923bbf1f5e524afaa9835e9f56de41386f16de328a522a3e7ec6a 0 -/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml a6007cf51cf940ce2647f61ead9e73078004086f8de02bbf2a479cf6df80e6a8 0 -/usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml 3ec019f36759dfe1e989d5261ba94fea94d2d86f1ae4f2abe138261a4e5a4108 0 +/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml 8b82ea3f0565db682d4ea59c31f5ffe3637b15e057074159f5838b5b4f4b59f7 0 +/usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml 55fbc5126fb3038362403107a88c3d44f5001804c3d269fa200b5532dbc2684b 0 +/usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml a7d33de9ea9d90c3828451aafa137f9326d2b18755e40af52cf52ed5bfc0ab77 0 /usr/share/xml/scap/ssg/content/ssg-rhosp13-oval.xml 8f56d277bbe113c12261647e620cddc66d476999870574d39633753ed5f7b514 0 -/usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml 8b76d235c74c6d7989593ec0c22b618240379821e2c1fad029feae254b928529 0 +/usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml 07512a6b38696615460e4ac61d4abbb0d21ee2d37634968289e2aeb4115d500b 0 /usr/share/xml/scap/ssg/content/ssg-rhv4-cpe-dictionary.xml 74210b5efa58bbbdb9133dd82d36a7e4aa0d75869d34e0ac89ea1d01469970d3 0 /usr/share/xml/scap/ssg/content/ssg-rhv4-cpe-oval.xml 9bf46d8d34e75bfc5769b34a6c68db8f617401343b72c42a81255257e0bfd83a 0 -/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 94aca25143e01825d568812d4e4c1bebb9f44d923447bf6b9deb9032f2d1a4d5 0 -/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml f5f675bec8520b92b29ee487f1570876f1263aa6c954c31e778af94effc4b7a9 0 -/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml bdd89b179c63c29258c62c00f7a89f53e5a129faf3b6c892858ec7399b632e2f 0 +/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2ba43705a99d46c1dd7a7a36276bb81e0175ad4c650b5b6d0751037676bae552 0 +/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 277db4b551dcb4c29bb2bcbad70f42ff8d1ebd2e2a1c3773718423a552c5c3ec 0 +/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 731925f9fd3b88ff434ed404b5d3d062775df5c594fa83ea26415b5ea92fd2a7 0 /usr/share/xml/scap/ssg/content/ssg-rhv4-oval.xml 3fe591b84cfeb276e40d6ce4f5b28f91c4226009f27613c46e1b2c17d4b799a5 0 -/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 9bedf27fa271effb5d1fec66860a4e5e5b65df068dcf32e5c4a6a3e31d6af6bf 0 -/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 15e28ef4fdce5ee9c744e055feed6625ccc04dbe5f39a8cac4564d5b45605eef 0 -/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 10777dcd3a1c9968594508064445c08ba9f3c7451e9263dbdea18f0619efc439 0 -/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml bec4c3bcdb46fb17ee4f7e2c136676fb3965c19d371fc536c7c35c808db0bbe6 0 +/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 0de2b7cd3a593b13aba25be767e1132a323fa08e3c2cc6a1cc574a1a93f416c1 0 +/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml c8afaeba043a985a24f7cd7ec3d317782aeb30dca66881ae53f4cb44b1024fc6 0 +/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 80e4849eba1f403678533cb1a3385bddf6048a73f697d9caf845299d04a81800 0 +/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 131edeea2f38c524890924c7067960e91ea660b70aacb5ca89f92ff5cd2f7bf1 0 ___QF_CHECKSUM___ comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:centos:centos:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 47 groups and 96 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:centos:centos:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. Base Services
    2. Cron and At Daemons

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 28 groups and 51 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:centos:centos:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 49 groups and 122 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Red Hat Enterprise Linux 8
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:centos:centos:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. Base Services
    2. Cron and At Daemons

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 29 groups and 57 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 @@ -80,7 +80,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 61 groups and 161 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -80,7 +80,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 61 groups and 175 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 @@ -80,7 +80,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 57 groups and 151 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -80,7 +80,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 27 groups and 43 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 105 groups and 271 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 94 groups and 203 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 89 groups and 199 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 103 groups and 269 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 @@ -90,7 +90,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Profile IDxccdf_org.ssgproject.content_profile_cui

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. zIPL bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
    9. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Kerberos
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. SSH Server
    8. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 64 groups and 200 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 @@ -80,7 +80,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleAustralian Cyber Security Centre (ACSC) Essential Eight
Profile IDxccdf_org.ssgproject.content_profile_e8

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Application Whitelisting Daemon
    3. Obsolete Services
    4. Proxy Server
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 48 groups and 97 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 @@ -83,7 +83,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleHealth Insurance Portability and Accountability Act (HIPAA)
Profile IDxccdf_org.ssgproject.content_profile_hipaa

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. NFS and RPC
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 52 groups and 135 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000 @@ -84,7 +84,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleAustralian Cyber Security Centre (ACSC) ISM Official
Profile IDxccdf_org.ssgproject.content_profile_ism_o

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Application Whitelisting Daemon
    3. Network Time Protocol
    4. Obsolete Services
    5. Proxy Server
    6. Network Routing
    7. SNMP Server
    8. SSH Server
    9. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 71 groups and 147 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 @@ -81,7 +81,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Protection Profile for General Purpose Operating Systems
Profile IDxccdf_org.ssgproject.content_profile_ospp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. zIPL bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
    9. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Kerberos
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. SSH Server
    8. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 64 groups and 200 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 49 groups and 120 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -86,7 +86,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] DISA STIG for Red Hat Enterprise Linux 9
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon
    13. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 106 groups and 353 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 @@ -92,7 +92,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
Profile IDxccdf_org.ssgproject.content_profile_stig_gui

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9
  • cpe:/o:centos:centos:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 104 groups and 352 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 @@ -72,7 +72,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleOSPP - Protection Profile for General Purpose Operating Systems
Profile IDxccdf_org.ssgproject.content_profile_ospp

CPE Platforms

  • cpe:/o:fedoraproject:fedora:36
  • cpe:/o:fedoraproject:fedora:35
  • cpe:/o:fedoraproject:fedora:34
  • cpe:/o:fedoraproject:fedora:33

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Mail Server Software
    4. Network Time Protocol
    5. Hardware RNG Entropy Gatherer Daemon
    6. SSH Server
    7. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Fedora   Group contains 63 groups and 208 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Fedora
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:fedoraproject:fedora:36
  • cpe:/o:fedoraproject:fedora:35
  • cpe:/o:fedoraproject:fedora:34
  • cpe:/o:fedoraproject:fedora:33

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Fedora   Group contains 47 groups and 120 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Fedora
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:fedoraproject:fedora:36
  • cpe:/o:fedoraproject:fedora:35
  • cpe:/o:fedoraproject:fedora:34
  • cpe:/o:fedoraproject:fedora:33

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Network Configuration and Firewalls
    5. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server

Checklist

Group   Guide to the Secure Configuration of Fedora   Group contains 39 groups and 77 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_enhanced

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 61 groups and 161 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDRAFT - ANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_high

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 61 groups and 174 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_intermediary

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 57 groups and 151 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_minimal

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 27 groups and 38 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000 @@ -69,7 +69,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCriminal Justice Information Services (CJIS) Security Policy
Profile IDxccdf_org.ssgproject.content_profile_cjis

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 47 groups and 101 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 @@ -81,7 +81,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleUnclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Profile IDxccdf_org.ssgproject.content_profile_cui

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Base Services
    2. NFS and RPC
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 51 groups and 104 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
Profile IDxccdf_org.ssgproject.content_profile_e8

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Obsolete Services
    3. Proxy Server
    4. Network Routing
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 46 groups and 93 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleHealth Insurance Portability and Accountability Act (HIPAA)
Profile IDxccdf_org.ssgproject.content_profile_hipaa

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. NFS and RPC
    4. Obsolete Services
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 54 groups and 142 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 @@ -72,7 +72,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Protection Profile for General Purpose Operating Systems
Profile IDxccdf_org.ssgproject.content_profile_ospp

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Base Services
    2. NFS and RPC
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 51 groups and 104 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 48 groups and 98 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleSecurity Profile of Oracle Linux 7 for SAP
Profile IDxccdf_org.ssgproject.content_profile_sap

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. File Permissions and Masks
  2. Services
    1. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 10 groups and 9 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Oracle Linux 7
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. Base Services
    2. Cron and At Daemons

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 28 groups and 72 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for Oracle Linux 7
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. FTP Server
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. Obsolete Services
    8. SNMP Server
    9. SSH Server
    10. System Security Services Daemon
    11. X Window System

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 101 groups and 264 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 @@ -72,7 +72,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG with GUI for Oracle Linux 7
Profile IDxccdf_org.ssgproject.content_profile_stig_gui

CPE Platforms

  • cpe:/o:oracle:linux:7

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. FTP Server
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. Obsolete Services
    8. SNMP Server
    9. SSH Server
    10. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 7   Group contains 99 groups and 263 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 61 groups and 168 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 61 groups and 181 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 57 groups and 158 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 27 groups and 42 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000 @@ -69,7 +69,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCriminal Justice Information Services (CJIS) Security Policy
Profile IDxccdf_org.ssgproject.content_profile_cjis

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 49 groups and 104 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 @@ -81,7 +81,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleUnclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Profile IDxccdf_org.ssgproject.content_profile_cui

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Kerberos
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. SSH Server
    8. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 63 groups and 205 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight
Profile IDxccdf_org.ssgproject.content_profile_e8

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Application Whitelisting Daemon
    3. Obsolete Services
    4. Proxy Server
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 48 groups and 95 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleHealth Insurance Portability and Accountability Act (HIPAA)
Profile IDxccdf_org.ssgproject.content_profile_hipaa

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. NFS and RPC
    4. Obsolete Services
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 54 groups and 140 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 @@ -72,7 +72,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Protection Profile for General Purpose Operating Systems
Profile IDxccdf_org.ssgproject.content_profile_ospp

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Kerberos
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. SSH Server
    8. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 63 groups and 205 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 50 groups and 124 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Oracle Linux 8
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. Base Services
    2. Cron and At Daemons

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 29 groups and 78 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDRAFT - DISA STIG for Oracle Linux 8
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:oracle:linux:8

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon
    13. X Window System

Checklist

Group   Guide to the Secure Configuration of Oracle Linux 8   Group contains 106 groups and 364 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDRAFT - ANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Mail Server Software
    2. Network Time Protocol
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 43 groups and 91 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDRAFT - ANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Mail Server Software
    2. Network Time Protocol
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 43 groups and 95 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDRAFT - ANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Mail Server Software
    2. Network Time Protocol
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 40 groups and 83 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDRAFT - ANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
  2. Services
    1. Mail Server Software

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 10 groups and 8 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleAustralian Cyber Security Centre (ACSC) Essential Eight
Profile IDxccdf_org.ssgproject.content_profile_e8

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. File Permissions and Masks
    5. SELinux
  2. Services
    1. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 23 groups and 51 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-02-22 00:00:00.000000000 +0000 @@ -87,7 +87,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleNIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS
Profile IDxccdf_org.ssgproject.content_profile_high

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 52 groups and 237 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2022-02-22 00:00:00.000000000 +0000 @@ -87,7 +87,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleNIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
Profile IDxccdf_org.ssgproject.content_profile_moderate

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 52 groups and 237 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleNorth American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS
Profile IDxccdf_org.ssgproject.content_profile_nerc-cip

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 52 groups and 237 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 @@ -72,7 +72,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProtection Profile for General Purpose Operating Systems
Profile IDxccdf_org.ssgproject.content_profile_ospp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. zIPL bootloader configuration
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Application Whitelisting Daemon
    2. Kerberos
    3. Mail Server Software
    4. Network Time Protocol
    5. SSH Server
    6. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 50 groups and 151 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -68,7 +68,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] DISA STIG for Red Hat Enterprise Linux CoreOS
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. zIPL bootloader configuration
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Application Whitelisting Daemon
    2. Kerberos
    3. Mail Server Software
    4. Network Time Protocol
    5. SSH Server
    6. System Security Services Daemon
    7. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4   Group contains 54 groups and 160 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_pci-dss_centric

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. 2.
    1. 2.1
    2. 2.2
    3. 2.3
    4. 2.4
    5. 2.5
    6. 2.6
  2. 3.
    1. 3.1
    2. 3.2
    3. 3.3
    4. 3.4
    5. 3.5
    6. 3.6
    7. 3.7
  3. 4.
    1. 4.1
    2. 4.2
    3. 4.3
  4. 5.
    1. 5.1
    2. 5.2
    3. 5.3
    4. 5.4
  5. 6.
    1. 6.1
    2. 6.2
    3. 6.3
    4. 6.4
    5. 6.5
    6. 6.6
    7. 6.7
  6. 7.
    1. 7.1
    2. 7.2
    3. 7.3
  7. 8.
    1. 8.1
    2. 8.2
    3. 8.3
    4. 8.4
    5. 8.5
    6. 8.6
    7. 8.7
    8. 8.8
  8. 10.
    1. 10.1
    2. 10.2
    3. 10.3
    4. 10.4
    5. 10.5
    6. 10.6
    7. 10.7
    8. 10.8
  9. 11.
    1. 11.1
    2. 11.2
    3. 11.3
    4. 11.4
    5. 11.5
    6. 11.6
  10. Values
  11. Non PCI-DSS

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7 (PCI-DSS centric)   Group contains 337 groups and 96 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2022-02-22 00:00:00.000000000 +0000 @@ -75,7 +75,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleC2S for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_C2S

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Base Services
    3. Cron and At Daemons
    4. DHCP
    5. DNS Server
    6. FTP Server
    7. Web Server
    8. IMAP and POP3 Server
    9. LDAP
    10. Mail Server Software
    11. NFS and RPC
    12. Network Time Protocol
    13. Obsolete Services
    14. Print Support
    15. Proxy Server
    16. Samba(SMB) Microsoft Windows File Sharing Server
    17. SNMP Server
    18. SSH Server
    19. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 101 groups and 234 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_enhanced

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 61 groups and 166 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_high

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 61 groups and 180 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_intermediary

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 57 groups and 156 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_nt28_minimal

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 27 groups and 39 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 106 groups and 290 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 95 groups and 227 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Cron and At Daemons
    2. DHCP
    3. DNS Server
    4. FTP Server
    5. Web Server
    6. IMAP and POP3 Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 89 groups and 222 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 104 groups and 288 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000 @@ -69,7 +69,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCriminal Justice Information Services (CJIS) Security Policy
Profile IDxccdf_org.ssgproject.content_profile_cjis

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 47 groups and 101 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 @@ -81,7 +81,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleUnclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Profile IDxccdf_org.ssgproject.content_profile_cui

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Base Services
    2. NFS and RPC
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 51 groups and 104 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleAustralian Cyber Security Centre (ACSC) Essential Eight
Profile IDxccdf_org.ssgproject.content_profile_e8

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Obsolete Services
    3. Proxy Server
    4. Network Routing
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 46 groups and 94 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleHealth Insurance Portability and Accountability Act (HIPAA)
Profile IDxccdf_org.ssgproject.content_profile_hipaa

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. NFS and RPC
    4. Obsolete Services
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 54 groups and 143 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2022-02-22 00:00:00.000000000 +0000 @@ -92,7 +92,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleNIST National Checklist Program Security Guide
Profile IDxccdf_org.ssgproject.content_profile_ncp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. LDAP
    4. NFS and RPC
    5. Network Time Protocol
    6. Obsolete Services
    7. Network Routing
    8. SSH Server
    9. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 105 groups and 386 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 @@ -72,7 +72,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleOSPP - Protection Profile for General Purpose Operating Systems v4.2.1
Profile IDxccdf_org.ssgproject.content_profile_ospp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Base Services
    2. NFS and RPC
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 51 groups and 104 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 47 groups and 96 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleRHV hardening based on STIG for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_rhelh-stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. FTP Server
    4. LDAP
    5. NFS and RPC
    6. Network Time Protocol
    7. Obsolete Services
    8. Network Routing
    9. SSH Server
    10. System Security Services Daemon
    11. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 100 groups and 378 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 2022-02-22 00:00:00.000000000 +0000 @@ -90,7 +90,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleVPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization
Profile IDxccdf_org.ssgproject.content_profile_rhelh-vpp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. SSH Server
    2. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 48 groups and 142 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 2022-02-22 00:00:00.000000000 +0000 @@ -68,7 +68,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleRed Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Profile IDxccdf_org.ssgproject.content_profile_rht-ccp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Base Services
    2. Obsolete Services
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 38 groups and 69 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. Base Services
    2. Cron and At Daemons

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 28 groups and 51 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. FTP Server
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. Obsolete Services
    8. SNMP Server
    9. SSH Server
    10. System Security Services Daemon
    11. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 102 groups and 260 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 @@ -82,7 +82,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG with GUI for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_stig_gui

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. FTP Server
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. Obsolete Services
    8. SNMP Server
    9. SSH Server
    10. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 100 groups and 259 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 61 groups and 170 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 61 groups and 184 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 57 groups and 160 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 27 groups and 43 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 105 groups and 280 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 94 groups and 212 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 89 groups and 208 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 @@ -70,7 +70,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 103 groups and 278 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 2022-02-22 00:00:00.000000000 +0000 @@ -69,7 +69,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCriminal Justice Information Services (CJIS) Security Policy
Profile IDxccdf_org.ssgproject.content_profile_cjis

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 48 groups and 102 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 @@ -81,7 +81,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleUnclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Profile IDxccdf_org.ssgproject.content_profile_cui

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. zIPL bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
    9. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Kerberos
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. SSH Server
    8. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 64 groups and 216 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleAustralian Cyber Security Centre (ACSC) Essential Eight
Profile IDxccdf_org.ssgproject.content_profile_e8

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Application Whitelisting Daemon
    3. Obsolete Services
    4. Proxy Server
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 48 groups and 97 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleHealth Insurance Portability and Accountability Act (HIPAA)
Profile IDxccdf_org.ssgproject.content_profile_hipaa

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. NFS and RPC
    4. Obsolete Services
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 54 groups and 137 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000 @@ -75,7 +75,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleAustralian Cyber Security Centre (ACSC) ISM Official
Profile IDxccdf_org.ssgproject.content_profile_ism_o

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Application Whitelisting Daemon
    3. Network Time Protocol
    4. Obsolete Services
    5. Proxy Server
    6. Network Routing
    7. SNMP Server
    8. SSH Server
    9. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 71 groups and 150 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 @@ -72,7 +72,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProtection Profile for General Purpose Operating Systems
Profile IDxccdf_org.ssgproject.content_profile_ospp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. zIPL bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
    9. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Kerberos
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. SSH Server
    8. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 64 groups and 216 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 49 groups and 122 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 2022-02-22 00:00:00.000000000 +0000 @@ -68,7 +68,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleRed Hat Corporate Profile for Certified Cloud Providers (RH CCP)
Profile IDxccdf_org.ssgproject.content_profile_rht-ccp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Base Services
    2. Obsolete Services
    3. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 39 groups and 70 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Red Hat Enterprise Linux 8
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. Base Services
    2. Cron and At Daemons

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 29 groups and 57 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for Red Hat Enterprise Linux 8
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon
    13. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 106 groups and 366 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 @@ -82,7 +82,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG with GUI for Red Hat Enterprise Linux 8
Profile IDxccdf_org.ssgproject.content_profile_stig_gui

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8   Group contains 104 groups and 365 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 61 groups and 161 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 61 groups and 175 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 57 groups and 151 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 27 groups and 43 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 105 groups and 271 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 94 groups and 203 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 89 groups and 199 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 103 groups and 269 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 @@ -81,7 +81,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
Profile IDxccdf_org.ssgproject.content_profile_cui

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. zIPL bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
    9. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Kerberos
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. SSH Server
    8. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 64 groups and 200 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 2022-02-22 00:00:00.000000000 +0000 @@ -71,7 +71,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleAustralian Cyber Security Centre (ACSC) Essential Eight
Profile IDxccdf_org.ssgproject.content_profile_e8

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Application Whitelisting Daemon
    3. Obsolete Services
    4. Proxy Server
    5. Network Routing
    6. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 48 groups and 97 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleHealth Insurance Portability and Accountability Act (HIPAA)
Profile IDxccdf_org.ssgproject.content_profile_hipaa

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. NFS and RPC
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 52 groups and 135 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 2022-02-22 00:00:00.000000000 +0000 @@ -75,7 +75,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleAustralian Cyber Security Centre (ACSC) ISM Official
Profile IDxccdf_org.ssgproject.content_profile_ism_o

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. Avahi Server
    2. Application Whitelisting Daemon
    3. Network Time Protocol
    4. Obsolete Services
    5. Proxy Server
    6. Network Routing
    7. SNMP Server
    8. SSH Server
    9. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 71 groups and 147 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2022-02-22 00:00:00.000000000 +0000 @@ -72,7 +72,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Protection Profile for General Purpose Operating Systems
Profile IDxccdf_org.ssgproject.content_profile_ospp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. zIPL bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
    9. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. Kerberos
    4. Mail Server Software
    5. NFS and RPC
    6. Network Time Protocol
    7. SSH Server
    8. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 64 groups and 200 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 49 groups and 120 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -77,7 +77,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] DISA STIG for Red Hat Enterprise Linux 9
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon
    13. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 106 groups and 353 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 2022-02-22 00:00:00.000000000 +0000 @@ -83,7 +83,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9
Profile IDxccdf_org.ssgproject.content_profile_stig_gui

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:9

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 9   Group contains 104 groups and 352 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-cui.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] Controlled Unclassified Infomration (CUI) Profile for Red Hat OpenStack Plaform 10
Profile IDxccdf_org.ssgproject.content_profile_cui

CPE Platforms

  • cpe:/a:redhat:openstack:10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. OpenStack
    1. Cinder STIG Checklist
    2. Horizon STIG Checklist
    3. Keystone STIG Checklist
    4. Neutron STIG Checklist
    5. Nova STIG Checklist

Checklist

Group   Guide to the Secure Configuration of Red Hat OpenStack Platform 10   Group contains 6 groups and 36 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhosp10-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] STIG for Red Hat OpenStack Plaform 10
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/a:redhat:openstack:10

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. OpenStack
    1. Cinder STIG Checklist
    2. Horizon STIG Checklist
    3. Keystone STIG Checklist
    4. Neutron STIG Checklist
    5. Nova STIG Checklist

Checklist

Group   Guide to the Secure Configuration of Red Hat OpenStack Platform 10   Group contains 6 groups and 36 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhosp13-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleRHOSP STIG
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/a:redhat:openstack:13

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. OpenStack
    1. Cinder STIG Checklist
    2. Horizon STIG Checklist
    3. Keystone STIG Checklist
    4. Neutron STIG Checklist
    5. Nova STIG Checklist

Checklist

Group   Guide to the Secure Configuration of Red Hat OpenStack Platform 13   Group contains 6 groups and 35 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8::hypervisor
  • cpe:/a:redhat:enterprise_virtualization_manager:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Virtualization 4   Group contains 45 groups and 115 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile Title[DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)
Profile IDxccdf_org.ssgproject.content_profile_rhvh-stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8::hypervisor
  • cpe:/a:redhat:enterprise_virtualization_manager:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Cron and At Daemons
    3. FTP Server
    4. LDAP
    5. NFS and RPC
    6. Network Time Protocol
    7. Obsolete Services
    8. Network Routing
    9. SSH Server
    10. System Security Services Daemon
    11. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Virtualization 4   Group contains 101 groups and 374 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 2022-02-22 00:00:00.000000000 +0000 @@ -90,7 +90,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleVPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Host (RHVH)
Profile IDxccdf_org.ssgproject.content_profile_rhvh-vpp

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8::hypervisor
  • cpe:/a:redhat:enterprise_virtualization_manager:4

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. SSH Server
    2. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Red Hat Virtualization 4   Group contains 49 groups and 143 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 2022-02-22 00:00:00.000000000 +0000 @@ -74,7 +74,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:scientificlinux:scientificlinux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 47 groups and 96 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -76,7 +76,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Red Hat Enterprise Linux 7
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:scientificlinux:scientificlinux:7
  • cpe:/o:redhat:enterprise_linux:7::server
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode
  • cpe:/o:redhat:enterprise_linux:7::workstation

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. Base Services
    2. Cron and At Daemons

Checklist

+ + + + + + + + + + + + - - - - - - - + - - + + @@ -121,38 +131,18 @@ - - - - - - - + @@ -174,59 +164,52 @@ - - - - - - - + - + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -208,23 +133,6 @@ - - - - - - + + + /usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -42,10 +42,40 @@ + + + + + + - + - - - - - - - + - - - - - - - + + + + + + + + + + - - - - - - - - + + - + - + - + - - - - - - - + + + + + + + - - - - - - - + - + - + @@ -198,17 +197,18 @@ - + @@ -285,69 +285,101 @@ - + + + + + + + + + + + + + - - - - - - - + - - + + @@ -121,38 +131,18 @@ - - - - - - - + @@ -174,59 +164,52 @@ - - - - - - - + - + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -208,23 +133,6 @@ - - - - - - + + + /usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -42,45 +42,27 @@ - - - - - - - + - - - - - - - - - - - - - - - - - - - + - + + + + + + + - - - - - - - + - + - + @@ -198,17 +197,18 @@ - + @@ -285,69 +285,101 @@ - + - - - - - - - + - - - - - - - - - - - - - - - - - - - + - + - - - - - - - + - + - + - + - - + + - + + + + + + + @@ -189,59 +179,52 @@ - - /usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -553,23 +553,6 @@ - - - - - - + + + + + + - + - + - + @@ -782,18 +781,32 @@ - + + + + + + + @@ -814,31 +827,35 @@ - + - - + + @@ -860,20 +877,21 @@ - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -208,23 +133,6 @@ - - - - - - + + + /usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -42,10 +42,40 @@ + + + + + + - + - - - - - - - + - - - - - - - + + + + + + + + + + - - - - - - - - + + - + - + - + - - - - - - - + + + + + + + - - - - - - - + - + @@ -203,17 +202,18 @@ - + @@ -290,69 +290,101 @@ - + - + + + - - - - - - - + - + - + - + - - + + - + + + + + + + @@ -189,59 +179,52 @@ - - /usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -672,17 +672,16 @@ - + @@ -701,18 +700,32 @@ - + + + + + + + @@ -733,36 +746,23 @@ - - - - - - - + - + - + + + + + + + - - + + @@ -856,21 +874,6 @@ - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -208,23 +133,6 @@ - - - - - - + + + /usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -42,45 +42,27 @@ - - - - - - - + - - - - - - - - - - - - - - - - - - - + - + + + + + + + - - - - - - - + - + @@ -203,17 +202,18 @@ - + @@ -290,69 +290,101 @@ - + - + + +
Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 7   Group contains 28 groups and 51 rules
Group   /usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -43,6 +43,32 @@
BP28(R1)Remove telnet Clients +The telnet client allows users to start connections to other systems via +the telnet protocol. + +The telnet protocol is insecure and unencrypted. The use +of an unencrypted transmission medium could allow an unauthorized user +to steal credentials. The ssh package provides an +encrypted session and stronger security and is included in Oracle Linux 7. +
BP28(R1)Uninstall talk-server Package +The talk-server package can be removed with the following command: 
 $ sudo yum erase talk-server
+ 		+The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the talk-server package decreases the +risk of the accidental (or intentional) activation of talk services. +
BP28(R1) Uninstall talk Package The talk package contains the client program for the @@ -61,46 +87,30 @@
BP28(R1)Remove telnet Clients -The telnet client allows users to start connections to other systems via -the telnet protocol. - -The telnet protocol is insecure and unencrypted. The use -of an unencrypted transmission medium could allow an unauthorized user -to steal credentials. The ssh package provides an -encrypted session and stronger security and is included in Oracle Linux 7. -
BP28(R1)Uninstall xinetd PackageUninstall Sendmail Package -The xinetd package can be removed with the following command: +Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: 
-$ sudo yum erase xinetd
+$ sudo yum erase sendmail 		-Removing the xinetd package decreases the risk of the -xinetd service's accidental (or intentional) activation. +The sendmail software was not developed with security in mind and +its design prevents it from being effectively contained by SELinux. Postfix +should be used instead.
BP28(R1)Uninstall ypserv PackageBP28(R1)
NT007(R03)		Uninstall the telnet server -The ypserv package can be removed with the following command: -
-$ sudo yum erase ypserv
+The telnet daemon should be uninstalled. 		-The NIS service provides an unencrypted authentication service which does -not provide for the confidentiality and integrity of user passwords or the -remote session. - -Removing the ypserv package decreases the risk of the accidental -(or intentional) activation of NIS or NIS+ services. +telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.'
BP28(R1)Uninstall rsh Package - -The rsh package contains the client commands - -for the rsh services - -These legacy clients contain numerous security exposures and have -been replaced with the more secure SSH package. Even if the server is removed, -it is best to ensure the clients are also removed to prevent users from -inadvertently attempting to use these commands and therefore exposing - -their credentials. Note that removing the rsh package removes - -the clients for rsh,rcp, and rlogin. -
BP28(R1)Uninstall Sendmail PackageUninstall tftp-server Package -Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: -
-$ sudo yum erase sendmail
+The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
 -The sendmail software was not developed with security in mind and -its design prevents it from being effectively contained by SELinux. Postfix -should be used instead. +Removing the tftp-server package decreases the risk of the accidental +(or intentional) activation of tftp services. +

+If TFTP is required for operational support (such as transmission of router +configurations), its use must be documented with the Information Systems +Securty Manager (ISSM), restricted to only authorized personnel, and have +access control rules established.
BP28(R1)Remove NIS Client -The Network Information Service (NIS), formerly known as Yellow Pages, -is a client-server directory service protocol used to distribute system configuration -files. The NIS client (ypbind) was used to bind a system to an NIS server -and receive the distributed configuration files. - -The NIS service is inherently an insecure system that has been vulnerable -to DOS attacks, buffer overflows and has poor authentication for querying -NIS maps. NIS generally has been replaced by such protocols as Lightweight -Directory Access Protocol (LDAP). It is recommended that the service be -removed. -
BP28(R1)
NT007(R03)		Uninstall the telnet serverUninstall ypserv Package -The telnet daemon should be uninstalled. +The ypserv package can be removed with the following command: +
+$ sudo yum erase ypserv
 -telnet allows clear text communications, and does not protect -any data transmission between client and server. Any confidential data -can be listened and no integrity checking is made.' +The NIS service provides an unencrypted authentication service which does +not provide for the confidentiality and integrity of user passwords or the +remote session. + +Removing the ypserv package decreases the risk of the accidental +(or intentional) activation of NIS or NIS+ services.
BP28(R1)Uninstall tftp-server PackageUninstall rsh Package -The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
+ +The rsh package contains the client commands + +for the rsh services 		-Removing the tftp-server package decreases the risk of the accidental -(or intentional) activation of tftp services. -

/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -43,6 +43,29 @@
3.1.1
3.1.5		Prevent Login to Accounts With Empty Password +If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Remove any instances of the +nullok in + +/etc/pam.d/system-auth + +to prevent logins with empty passwords. +Note that this rule is not applicable for systems running within a +container. Having user with empty password within a container is not +considered a risk, because it should not be possible to directly login into +a container anyway. + +If an account has an empty password, anyone could log in and +run commands with the privileges of that account. Accounts with +empty passwords should never be used in operational environments. +
3.1.1
3.1.5		 Disable SSH Access via Empty Passwords Disallow SSH login with empty passwords. @@ -67,118 +90,20 @@
3.1.1
3.4.5		Require Authentication for Single User Mode -Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. By default, no authentication -is performed if single-user mode is selected. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. - 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. -
3.1.1
3.1.5		Verify Only Root Has UID 0 -If any account other than root has a UID of 0, this misconfiguration should -be investigated and the accounts other than root should be removed or have -their UID changed. -
-If the account is associated with system commands or applications the UID -should be changed to one greater than "0" but less than "1000." -Otherwise assign a UID greater than "1000" that has not already been -assigned. - 		-An account has root authority if it has a UID of 0. Multiple accounts -with a UID of 0 afford more opportunity for potential intruders to -guess a password for a privileged account. Proper configuration of -sudo is recommended to afford multiple system administrators -access to root privileges in an accountable manner. -
3.1.1
3.1.5		Restrict Serial Port Root Logins -To restrict root logins on serial ports, -ensure lines of this form do not appear in /etc/securetty: -
ttyS0
-ttyS1
- 		-Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the systems -using the root account. -
3.1.1
3.4.5		Require Authentication for Emergency Systemd Target -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. - 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. -
3.1.1
3.1.5		Disable SSH Root Login -The root user should never be allowed to login to a -system directly over a network. -To disable root login via SSH, add or correct the following line in - - -/etc/ssh/sshd_config: - -
PermitRootLogin no
- 		-Even though the communications channel may be encrypted, an additional layer of -security is gained by extending the policy of not logging directly on as root. -In addition, logging in with a user-specific account provides individual -accountability of actions performed on the system and also helps to minimize -direct attack attempts on root's password. -
3.1.1
3.1.5		Prevent Login to Accounts With Empty Password3.1.1Disable GDM Automatic Login -If an account is configured for password authentication -but does not have an assigned password, it may be possible to log -into the account without authentication. Remove any instances of the -nullok in - -/etc/pam.d/system-auth - -to prevent logins with empty passwords. -Note that this rule is not applicable for systems running within a -container. Having user with empty password within a container is not -considered a risk, because it should not be possible to directly login into -a container anyway. +The GNOME Display Manager (GDM) can allow users to automatically login without +user interaction or credentials. User should always be required to authenticate themselves +to the system that they are authorized to use. To disable user ability to automatically +login to the system, set the AutomaticLoginEnable to false in the +[daemon] section in /etc/gdm/custom.conf. For example: +
[daemon]
+AutomaticLoginEnable=false
 -If an account has an empty password, anyone could log in and -run commands with the privileges of that account. Accounts with -empty passwords should never be used in operational environments. +Failure to restrict system access to authenticated users negatively impacts operating +system security.
3.1.1Disable GDM Automatic Login -The GNOME Display Manager (GDM) can allow users to automatically login without -user interaction or credentials. User should always be required to authenticate themselves -to the system that they are authorized to use. To disable user ability to automatically -login to the system, set the AutomaticLoginEnable to false in the -[daemon] section in /etc/gdm/custom.conf. For example: -
[daemon]
-AutomaticLoginEnable=false
- 		-Failure to restrict system access to authenticated users negatively impacts operating -system security. -
3.1.1
3.1.5		 Restrict Virtual Console Root Logins @@ -242,6 +150,41 @@
3.1.1
3.4.5		Require Authentication for Emergency Systemd Target +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + 		Rationale
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter Time Through clock_settime +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+ 		+Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. +
AU-2(d)
AU-12(c)
CM-6(a)		Record Unsuccessul Ownership Changes to Files - chownRecord Unsuccessul Permission Changes to Files - fchmodat -The audit system should collect unsuccessful file ownership change +The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon @@ -54,59 +84,35 @@ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines: -
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
 -Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter the localtime File -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/localtime -p wa -k audit_time_rules
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/localtime -p wa -k audit_time_rules
-The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport and -should always be used. - 		-Arbitrary changes to the system time can be used to obfuscate -nefarious activities in log files, as well as to confuse network services that -are highly dependent upon an accurate system time (such as sshd). All changes -to the system time should be audited. -
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - setxattrRecord Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 The changing of file permissions could indicate that a user is attempting to @@ -117,42 +123,18 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Ensure auditd Collects Information on Exporting to Media (successful) -At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
- 		-The unauthorized exportation of data to external media could result in an information leak -where classified information, Privacy Act information, and intellectual property could be lost. An audit -trail should be created each time a filesystem is mounted to help identify and guard against information -loss. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Any Attempts to Run seunshareEnsure auditd Collects Information on the Use of Privileged Commands - su -At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
+At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
 Misuse of privileged functions, either intentionally or unintentionally by @@ -168,6 +150,51 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter Logon and Logout Events - faillock +The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/run/faillock -p wa -k logins
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/run/faillock -p wa -k logins
+ 		+Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. +
AU-2(d)
AU-12(c)
CM-6(a)		Ensure auditd Collects File Deletion Events by User - rename +At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the /usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -57,21 +57,6 @@
FAU_GEN.1Set hostname as computer node name in audit logs -To configure Audit daemon to use value returned by gethostname -syscall as computer node name in the audit events, -set name_format to hostname -in /etc/audit/auditd.conf. - -If option name_format is left at its default value of -none, audit events from different computers may be hard -to distinguish. -
FAU_GEN.1 Set number of records to cause an explicit flush to audit logs To configure Audit daemon to issue an explicit flush to disk command @@ -85,83 +70,82 @@
FAU_GEN.1.1.cEnsure cron Is Logging To RsyslogFAU_GEN.1Set hostname as computer node name in audit logs -Cron logging must be implemented to spot intrusions or trace -cron job status. If cron is not logging to rsyslog, it -can be implemented by adding the following to the RULES section of -/etc/rsyslog.conf: -
cron.*                                                  /var/log/cron
+To configure Audit daemon to use value returned by gethostname +syscall as computer node name in the audit events, +set name_format to hostname +in /etc/audit/auditd.conf. 		-Cron logging can be used to trace the successful or unsuccessful execution -of cron jobs. It can also be used to spot intrusions into the use of the cron -facility by unauthorized and malicious users. +If option name_format is left at its default value of +none, audit events from different computers may be hard +to distinguish.
FAU_GEN.1.1.cRecord Events that Modify the System's Discretionary Access Controls - setxattrRecord Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group -At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +The audit system should collect write events to /etc/group file for all group and root. +If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
 -The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. +Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise.
FAU_GEN.1.1.cRecord Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowRecord Events that Modify the System's Discretionary Access Controls - lsetxattr -The audit system should collect write events to /etc/gshadow file for all users and root. -If the auditd daemon is configured +At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 -Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users.
FAU_GEN.1.1.cRecord Any Attempts to Run seunshareEnsure auditd Collects Information on the Use of Privileged Commands - su -At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
+At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
 Misuse of privileged functions, either intentionally or unintentionally by @@ -178,132 +162,64 @@
FAU_GEN.1.1.cRecord Events that Modify the System's Discretionary Access Controls - lremovexattr -At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
- 		-The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. -
FAU_GEN.1.1.cRecord Events that Modify the System's Discretionary Access Controls - fremovexattrRecord Attempts to Alter Logon and Logout Events - faillock -At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text) --- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -59,6 +59,34 @@
Req-6.2Ensure gpgcheck Enabled In Main yum Configuration +The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
+ 		+Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. +
+Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +
Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). +
Req-6.2 Ensure gpgcheck Enabled for All yum Package Repositories To ensure signature checking is not disabled for @@ -76,30 +104,6 @@
Req-6.2Ensure Oracle Linux GPG Key Installed -To ensure the system can cryptographically verify base software -packages come from Oracle (and to connect to the Unbreakable Linux Network to -receive them), the Oracle GPG key must properly be installed. -To install the Oracle GPG key, run: -
$ sudo uln_register
-If the system is not connected to the Internet, -then install the Oracle GPG key from trusted media such as -the Oracle installation CD-ROM or DVD. Assuming the disc is mounted -in /media/cdrom, use the following command as the root user to import -it into the keyring: -
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
- 		-Changes to software components can have significant effects on the -overall security of the operating system. This requirement ensures -the software has not been tampered with and that it has been provided -by a trusted vendor. The Oracle GPG key is necessary to -cryptographically verify packages are from Oracle. -
Req-6.2 Ensure Software Patches Installed @@ -123,42 +127,38 @@
Req-6.2Ensure gpgcheck Enabled In Main yum ConfigurationEnsure Oracle Linux GPG Key Installed -The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
+To ensure the system can cryptographically verify base software +packages come from Oracle (and to connect to the Unbreakable Linux Network to +receive them), the Oracle GPG key must properly be installed. +To install the Oracle GPG key, run: +
$ sudo uln_register
+If the system is not connected to the Internet, +then install the Oracle GPG key from trusted media such as +the Oracle installation CD-ROM or DVD. Assuming the disc is mounted +in /media/cdrom, use the following command as the root user to import +it into the keyring: +
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
 -Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the -software has not been tampered with and that it has been provided by a -trusted vendor. -
-Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. -
Verifying the authenticity of the software prior to installation -validates the integrity of the patch or upgrade received from a vendor. -This ensures the software has not been tampered with and that it has been -provided by a trusted vendor. Self-signed certificates are disallowed by -this requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA). +Changes to software components can have significant effects on the +overall security of the operating system. This requirement ensures +the software has not been tampered with and that it has been provided +by a trusted vendor. The Oracle GPG key is necessary to +cryptographically verify packages are from Oracle.
Req-7.1Verify /boot/grub2/grub.cfg User OwnershipVerify the UEFI Boot Loader grub.cfg User Ownership -The file /boot/grub2/grub.cfg should +The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
Only root should be able to modify important boot parameters. @@ -166,18 +166,17 @@
Req-7.1Verify /boot/grub2/grub.cfg Group OwnershipVerify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters.
Req-7.1Verify the UEFI Boot Loader grub.cfg User OwnershipVerify /boot/grub2/grub.cfg Group Ownership -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
 -Only root should be able to modify important boot parameters. +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway.
Req-8.1.8Ensure Users Cannot Change GNOME3 Screensaver Idle ActivationEnable GNOME3 Screensaver Idle Activation -If not already configured, ensure that users cannot change GNOME3 screensaver lock settings -by adding 
/org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings. +To activate the screensaver in the GNOME3 desktop after a period of inactivity, +add or set idle-activation-enabled to true in +/etc/dconf/db/local.d/00-security-settings. For example: +
[org/gnome/desktop/screensaver]
+idle-activation-enabled=true
+Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. /usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text) --- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -43,6 +43,32 @@
BP28(R1)Remove telnet Clients +The telnet client allows users to start connections to other systems via +the telnet protocol. + +The telnet protocol is insecure and unencrypted. The use +of an unencrypted transmission medium could allow an unauthorized user +to steal credentials. The ssh package provides an +encrypted session and stronger security and is included in Oracle Linux 8. +
BP28(R1)Uninstall talk-server Package +The talk-server package can be removed with the following command: 
 $ sudo yum erase talk-server
+ 		+The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the talk-server package decreases the +risk of the accidental (or intentional) activation of talk services. +
BP28(R1) Uninstall talk Package The talk package contains the client program for the @@ -61,46 +87,30 @@
BP28(R1)Remove telnet Clients -The telnet client allows users to start connections to other systems via -the telnet protocol. - -The telnet protocol is insecure and unencrypted. The use -of an unencrypted transmission medium could allow an unauthorized user -to steal credentials. The ssh package provides an -encrypted session and stronger security and is included in Oracle Linux 8. -
BP28(R1)Uninstall xinetd PackageUninstall Sendmail Package -The xinetd package can be removed with the following command: +Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: 
-$ sudo yum erase xinetd
+$ sudo yum erase sendmail 		-Removing the xinetd package decreases the risk of the -xinetd service's accidental (or intentional) activation. +The sendmail software was not developed with security in mind and +its design prevents it from being effectively contained by SELinux. Postfix +should be used instead.
BP28(R1)Uninstall ypserv PackageBP28(R1)
NT007(R03)		Uninstall the telnet server -The ypserv package can be removed with the following command: -
-$ sudo yum erase ypserv
+The telnet daemon should be uninstalled. 		-The NIS service provides an unencrypted authentication service which does -not provide for the confidentiality and integrity of user passwords or the -remote session. - -Removing the ypserv package decreases the risk of the accidental -(or intentional) activation of NIS or NIS+ services. +telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.'
BP28(R1)Uninstall rsh Package - -The rsh package contains the client commands - -for the rsh services - -These legacy clients contain numerous security exposures and have -been replaced with the more secure SSH package. Even if the server is removed, -it is best to ensure the clients are also removed to prevent users from -inadvertently attempting to use these commands and therefore exposing - -their credentials. Note that removing the rsh package removes - -the clients for rsh,rcp, and rlogin. -
BP28(R1)Uninstall Sendmail PackageUninstall tftp-server Package -Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: -
-$ sudo yum erase sendmail
+The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
 -The sendmail software was not developed with security in mind and -its design prevents it from being effectively contained by SELinux. Postfix -should be used instead. +Removing the tftp-server package decreases the risk of the accidental +(or intentional) activation of tftp services. +

+If TFTP is required for operational support (such as transmission of router +configurations), its use must be documented with the Information Systems +Securty Manager (ISSM), restricted to only authorized personnel, and have +access control rules established.
BP28(R1)Remove NIS Client -The Network Information Service (NIS), formerly known as Yellow Pages, -is a client-server directory service protocol used to distribute system configuration -files. The NIS client (ypbind) was used to bind a system to an NIS server -and receive the distributed configuration files. - -The NIS service is inherently an insecure system that has been vulnerable -to DOS attacks, buffer overflows and has poor authentication for querying -NIS maps. NIS generally has been replaced by such protocols as Lightweight -Directory Access Protocol (LDAP). It is recommended that the service be -removed. -
BP28(R1)
NT007(R03)		Uninstall the telnet serverUninstall ypserv Package -The telnet daemon should be uninstalled. +The ypserv package can be removed with the following command: +
+$ sudo yum erase ypserv
 -telnet allows clear text communications, and does not protect -any data transmission between client and server. Any confidential data -can be listened and no integrity checking is made.' +The NIS service provides an unencrypted authentication service which does +not provide for the confidentiality and integrity of user passwords or the +remote session. + +Removing the ypserv package decreases the risk of the accidental +(or intentional) activation of NIS or NIS+ services.
BP28(R1)Uninstall tftp-server PackageUninstall rsh Package -The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
+ +The rsh package contains the client commands + +for the rsh services 		-Removing the tftp-server package decreases the risk of the accidental -(or intentional) activation of tftp services. -

/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text) --- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -43,6 +43,29 @@
3.1.1
3.1.5		Prevent Login to Accounts With Empty Password +If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Remove any instances of the +nullok in + +/etc/pam.d/system-auth + +to prevent logins with empty passwords. +Note that this rule is not applicable for systems running within a +container. Having user with empty password within a container is not +considered a risk, because it should not be possible to directly login into +a container anyway. + +If an account has an empty password, anyone could log in and +run commands with the privileges of that account. Accounts with +empty passwords should never be used in operational environments. +
3.1.1
3.1.5		 Disable SSH Access via Empty Passwords Disallow SSH login with empty passwords. @@ -67,118 +90,20 @@
3.1.1
3.4.5		Require Authentication for Single User Mode -Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. By default, no authentication -is performed if single-user mode is selected. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. - 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. -
3.1.1
3.1.5		Verify Only Root Has UID 0 -If any account other than root has a UID of 0, this misconfiguration should -be investigated and the accounts other than root should be removed or have -their UID changed. -
-If the account is associated with system commands or applications the UID -should be changed to one greater than "0" but less than "1000." -Otherwise assign a UID greater than "1000" that has not already been -assigned. - 		-An account has root authority if it has a UID of 0. Multiple accounts -with a UID of 0 afford more opportunity for potential intruders to -guess a password for a privileged account. Proper configuration of -sudo is recommended to afford multiple system administrators -access to root privileges in an accountable manner. -
3.1.1
3.1.5		Restrict Serial Port Root Logins -To restrict root logins on serial ports, -ensure lines of this form do not appear in /etc/securetty: -
ttyS0
-ttyS1
- 		-Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the systems -using the root account. -
3.1.1
3.4.5		Require Authentication for Emergency Systemd Target -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. - 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. -
3.1.1
3.1.5		Disable SSH Root Login -The root user should never be allowed to login to a -system directly over a network. -To disable root login via SSH, add or correct the following line in - - -/etc/ssh/sshd_config: - -
PermitRootLogin no
- 		-Even though the communications channel may be encrypted, an additional layer of -security is gained by extending the policy of not logging directly on as root. -In addition, logging in with a user-specific account provides individual -accountability of actions performed on the system and also helps to minimize -direct attack attempts on root's password. -
3.1.1
3.1.5		Prevent Login to Accounts With Empty Password3.1.1Disable GDM Automatic Login -If an account is configured for password authentication -but does not have an assigned password, it may be possible to log -into the account without authentication. Remove any instances of the -nullok in - -/etc/pam.d/system-auth - -to prevent logins with empty passwords. -Note that this rule is not applicable for systems running within a -container. Having user with empty password within a container is not -considered a risk, because it should not be possible to directly login into -a container anyway. +The GNOME Display Manager (GDM) can allow users to automatically login without +user interaction or credentials. User should always be required to authenticate themselves +to the system that they are authorized to use. To disable user ability to automatically +login to the system, set the AutomaticLoginEnable to false in the +[daemon] section in /etc/gdm/custom.conf. For example: +
[daemon]
+AutomaticLoginEnable=false
 -If an account has an empty password, anyone could log in and -run commands with the privileges of that account. Accounts with -empty passwords should never be used in operational environments. +Failure to restrict system access to authenticated users negatively impacts operating +system security.
3.1.1Disable GDM Automatic Login -The GNOME Display Manager (GDM) can allow users to automatically login without -user interaction or credentials. User should always be required to authenticate themselves -to the system that they are authorized to use. To disable user ability to automatically -login to the system, set the AutomaticLoginEnable to false in the -[daemon] section in /etc/gdm/custom.conf. For example: -
[daemon]
-AutomaticLoginEnable=false
- 		-Failure to restrict system access to authenticated users negatively impacts operating -system security. -
3.1.1
3.1.5		 Restrict Virtual Console Root Logins @@ -242,6 +150,41 @@
3.1.1
3.4.5		Require Authentication for Emergency Systemd Target +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + 		Rationale
AU-2(d)
AU-12(c)
CM-6(a)		Record Unsuccessul Ownership Changes to Files - chown -The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. -
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-If the system is 64 bit then also add the following lines: -
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
- 		-Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter the localtime FileRecord Attempts to Alter Time Through clock_settime If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/localtime -p wa -k audit_time_rules
+augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/localtime -p wa -k audit_time_rules
+
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport and -should always be used. +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
 Arbitrary changes to the system time can be used to obfuscate @@ -91,136 +73,46 @@
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - setxattr -At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
- 		-The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Ensure auditd Collects Information on Exporting to Media (successful) -At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
- 		-The unauthorized exportation of data to external media could result in an information leak -where classified information, Privacy Act information, and intellectual property could be lost. An audit -trail should be created each time a filesystem is mounted to help identify and guard against information -loss. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Any Attempts to Run seunshare -At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
- 		-Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. -

-Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. -
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - lremovexattrRecord Unsuccessul Permission Changes to Files - fchmodat -At a minimum, the audit system should collect file permission -changes for all users and root. -

+The audit system should collect unsuccessful file permission change +attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
 -The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. +Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise.
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - fremovexattrRecord Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: /usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text) --- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -59,6 +59,34 @@
Req-6.2Ensure gpgcheck Enabled In Main yum Configuration +The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
+ 		+Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. +
+Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +
Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). +
Req-6.2 Ensure gpgcheck Enabled for All yum Package Repositories To ensure signature checking is not disabled for @@ -76,30 +104,6 @@
Req-6.2Ensure Oracle Linux GPG Key Installed -To ensure the system can cryptographically verify base software -packages come from Oracle (and to connect to the Unbreakable Linux Network to -receive them), the Oracle GPG key must properly be installed. -To install the Oracle GPG key, run: -
$ sudo uln_register
-If the system is not connected to the Internet, -then install the Oracle GPG key from trusted media such as -the Oracle installation CD-ROM or DVD. Assuming the disc is mounted -in /media/cdrom, use the following command as the root user to import -it into the keyring: -
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
- 		-Changes to software components can have significant effects on the -overall security of the operating system. This requirement ensures -the software has not been tampered with and that it has been provided -by a trusted vendor. The Oracle GPG key is necessary to -cryptographically verify packages are from Oracle. -
Req-6.2 Ensure Software Patches Installed @@ -123,42 +127,38 @@
Req-6.2Ensure gpgcheck Enabled In Main yum ConfigurationEnsure Oracle Linux GPG Key Installed -The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
+To ensure the system can cryptographically verify base software +packages come from Oracle (and to connect to the Unbreakable Linux Network to +receive them), the Oracle GPG key must properly be installed. +To install the Oracle GPG key, run: +
$ sudo uln_register
+If the system is not connected to the Internet, +then install the Oracle GPG key from trusted media such as +the Oracle installation CD-ROM or DVD. Assuming the disc is mounted +in /media/cdrom, use the following command as the root user to import +it into the keyring: +
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
 -Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the -software has not been tampered with and that it has been provided by a -trusted vendor. -
-Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. -
Verifying the authenticity of the software prior to installation -validates the integrity of the patch or upgrade received from a vendor. -This ensures the software has not been tampered with and that it has been -provided by a trusted vendor. Self-signed certificates are disallowed by -this requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA). +Changes to software components can have significant effects on the +overall security of the operating system. This requirement ensures +the software has not been tampered with and that it has been provided +by a trusted vendor. The Oracle GPG key is necessary to +cryptographically verify packages are from Oracle.
Req-7.1Verify /boot/grub2/grub.cfg User OwnershipVerify the UEFI Boot Loader grub.cfg User Ownership -The file /boot/grub2/grub.cfg should +The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
Only root should be able to modify important boot parameters. @@ -166,18 +166,17 @@
Req-7.1Verify /boot/grub2/grub.cfg Group OwnershipVerify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters.
Req-7.1Verify the UEFI Boot Loader grub.cfg User OwnershipVerify /boot/grub2/grub.cfg Group Ownership -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
 -Only root should be able to modify important boot parameters. +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway.
Req-8.1.8Ensure Users Cannot Change GNOME3 Screensaver Idle ActivationEnable GNOME3 Screensaver Idle Activation -If not already configured, ensure that users cannot change GNOME3 screensaver lock settings -by adding 
/org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings. +To activate the screensaver in the GNOME3 desktop after a period of inactivity, +add or set idle-activation-enabled to true in +/etc/dconf/db/local.d/00-security-settings. For example: +
[org/gnome/desktop/screensaver]
+idle-activation-enabled=true
+Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. /usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -42,45 +42,27 @@ 		Rationale
AU-2(d)
AU-12(c)
CM-6(a)		Record Unsuccessul Ownership Changes to Files - chown -The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. -
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-If the system is 64 bit then also add the following lines: -
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
- 		-Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter the localtime FileRecord Attempts to Alter Time Through clock_settime If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/localtime -p wa -k audit_time_rules
+augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/localtime -p wa -k audit_time_rules
+
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport and -should always be used. +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
 Arbitrary changes to the system time can be used to obfuscate @@ -91,136 +73,46 @@
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - setxattr -At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
- 		-The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Ensure auditd Collects Information on Exporting to Media (successful) -At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
- 		-The unauthorized exportation of data to external media could result in an information leak -where classified information, Privacy Act information, and intellectual property could be lost. An audit -trail should be created each time a filesystem is mounted to help identify and guard against information -loss. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Any Attempts to Run seunshare -At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
- 		-Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. -

-Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. -
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - lremovexattrRecord Unsuccessul Permission Changes to Files - fchmodat -At a minimum, the audit system should collect file permission -changes for all users and root. -

+The audit system should collect unsuccessful file permission change +attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

+startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
 -The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. +Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise.
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - fremovexattrRecord Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: /usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -43,24 +43,6 @@
BP28(R1)Uninstall talk Package -The talk package contains the client program for the -Internet talk protocol, which allows the user to chat with other users on -different systems. Talk is a communication program which copies lines from one -terminal to the terminal of another user. -The talk package can be removed with the following command: -
-$ sudo yum erase talk
- 		-The talk software presents a security risk as it uses unencrypted protocols -for communications. Removing the talk package decreases the -risk of the accidental (or intentional) activation of talk client program. -
BP28(R1) Remove telnet Clients The telnet client allows users to start connections to other systems via @@ -75,99 +57,107 @@
BP28(R1)Uninstall xinetd PackageRemove tftp Daemon -The xinetd package can be removed with the following command: -
-$ sudo yum erase xinetd
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, +typically used to automatically transfer configuration or boot files between systems. +TFTP does not support authentication and can be easily hacked. The package +tftp is a client program that allows for connections to a tftp server. 		-Removing the xinetd package decreases the risk of the -xinetd service's accidental (or intentional) activation. +It is recommended that TFTP be removed, unless there is a specific need +for TFTP (such as a boot server). In that case, use extreme caution when configuring +the services.
BP28(R1)Uninstall ypserv PackageUninstall talk-server Package -The ypserv package can be removed with the following command: -
-$ sudo yum erase ypserv
+The talk-server package can be removed with the following command: 
 $ sudo yum erase talk-server
 -The NIS service provides an unencrypted authentication service which does -not provide for the confidentiality and integrity of user passwords or the -remote session. - -Removing the ypserv package decreases the risk of the accidental -(or intentional) activation of NIS or NIS+ services. +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the talk-server package decreases the +risk of the accidental (or intentional) activation of talk services.
BP28(R1)Uninstall DHCP Server PackageUninstall talk Package -If the system does not need to act as a DHCP server, -the dhcp package can be uninstalled. - -The dhcp package can be removed with the following command: +The talk package contains the client program for the +Internet talk protocol, which allows the user to chat with other users on +different systems. Talk is a communication program which copies lines from one +terminal to the terminal of another user. +The talk package can be removed with the following command: 
-$ sudo yum erase dhcp
+$ sudo yum erase talk 		-Removing the DHCP server ensures that it cannot be easily or -accidentally reactivated and disrupt network operation. +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the talk package decreases the +risk of the accidental (or intentional) activation of talk client program.
BP28(R1)Uninstall rsh PackageUninstall Sendmail Package - -The rsh package contains the client commands - -for the rsh services +Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: +
+$ sudo yum erase sendmail
 -These legacy clients contain numerous security exposures and have -been replaced with the more secure SSH package. Even if the server is removed, -it is best to ensure the clients are also removed to prevent users from -inadvertently attempting to use these commands and therefore exposing - -their credentials. Note that removing the rsh package removes - -the clients for rsh,rcp, and rlogin. +The sendmail software was not developed with security in mind and +its design prevents it from being effectively contained by SELinux. Postfix +should be used instead.
BP28(R1)Remove tftp DaemonBP28(R1)
NT007(R03)		Uninstall the telnet server -Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, -typically used to automatically transfer configuration or boot files between systems. -TFTP does not support authentication and can be easily hacked. The package -tftp is a client program that allows for connections to a tftp server. +The telnet daemon should be uninstalled. -It is recommended that TFTP be removed, unless there is a specific need -for TFTP (such as a boot server). In that case, use extreme caution when configuring -the services. +telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.'
BP28(R1)Uninstall Sendmail PackageUninstall DHCP Server Package -Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: +If the system does not need to act as a DHCP server, +the dhcp package can be uninstalled. + +The dhcp package can be removed with the following command: 
-$ sudo yum erase sendmail
+$ sudo yum erase dhcp 		-The sendmail software was not developed with security in mind and -its design prevents it from being effectively contained by SELinux. Postfix -should be used instead. +Removing the DHCP server ensures that it cannot be easily or +accidentally reactivated and disrupt network operation. +
BP28(R1)Uninstall tftp-server Package +The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
+ 		+Removing the tftp-server package decreases the risk of the accidental +(or intentional) activation of tftp services. +

+If TFTP is required for operational support (such as transmission of router +configurations), its use must be documented with the Information Systems +Securty Manager (ISSM), restricted to only authorized personnel, and have +access control rules established.
BP28(R1)Remove NIS Client -The Network Information Service (NIS), formerly known as Yellow Pages, -is a client-server directory service protocol used to distribute system configuration -files. The NIS client (ypbind) was used to bind a system to an NIS server -and receive the distributed configuration files. -
1.2.3Ensure gpgcheck Enabled for All yum Package Repositories -To ensure signature checking is not disabled for -any repos, remove any lines from files in /etc/yum.repos.d of the form: -
gpgcheck=0
- 		-Verifying the authenticity of the software prior to installation validates -the integrity of the patch or upgrade received from a vendor. This ensures -the software has not been tampered with and that it has been provided by a -trusted vendor. Self-signed certificates are disallowed by this -requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA)." -
1.2.3 Ensure gpgcheck Enabled In Main yum Configuration The gpgcheck option controls whether @@ -598,6 +581,23 @@
1.2.3Ensure gpgcheck Enabled for All yum Package Repositories +To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +
gpgcheck=0
+ 		+Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This ensures +the software has not been tampered with and that it has been provided by a +trusted vendor. Self-signed certificates are disallowed by this +requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA)." +
1.2.3 Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages @@ -709,7 +709,7 @@
1.4.1Set the UEFI Boot Loader PasswordSet Boot Loader Password in grub2 The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. @@ -731,7 +731,7 @@
1.4.1Set Boot Loader Password in grub2Set the UEFI Boot Loader Password The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. @@ -753,17 +753,16 @@
1.4.2Verify /boot/grub2/grub.cfg User OwnershipVerify the UEFI Boot Loader grub.cfg Permissions -The file /boot/grub2/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. +File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg
+To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
 -Only root should be able to modify important boot parameters. +Proper permissions ensure that only the root user can modify important boot +parameters.
1.4.2Verify /boot/grub2/grub.cfg Group OwnershipVerify the UEFI Boot Loader grub.cfg User Ownership +The file /boot/efi/EFI/redhat/grub.cfg should +be owned by the root user to prevent destruction +or modification of the file. + +To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+ 		+Only root should be able to modify important boot parameters. +
1.4.2Verify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters.
1.4.2Verify the UEFI Boot Loader grub.cfg PermissionsVerify /boot/grub2/grub.cfg Group Ownership -File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. -To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
 -Proper permissions ensure that only the root user can modify important boot -parameters. +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway.
1.4.2Verify the UEFI Boot Loader grub.cfg User Ownership1.4.3Require Authentication for Emergency Systemd Target -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. - -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. 		-Only root should be able to modify important boot parameters. +This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password.
1.4.3Require Authentication for Emergency Systemd Target1.5.1Disable storing core dump -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +The Storage option in [Coredump] section +of /etc/systemd/coredump.conf /usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -43,6 +43,29 @@
3.1.1
3.1.5		Prevent Login to Accounts With Empty Password +If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Remove any instances of the +nullok in + +/etc/pam.d/system-auth + +to prevent logins with empty passwords. +Note that this rule is not applicable for systems running within a +container. Having user with empty password within a container is not +considered a risk, because it should not be possible to directly login into +a container anyway. + +If an account has an empty password, anyone could log in and +run commands with the privileges of that account. Accounts with +empty passwords should never be used in operational environments. +
3.1.1
3.1.5		 Disable SSH Access via Empty Passwords Disallow SSH login with empty passwords. @@ -67,118 +90,20 @@
3.1.1
3.4.5		Require Authentication for Single User Mode -Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. By default, no authentication -is performed if single-user mode is selected. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. - 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. -
3.1.1
3.1.5		Verify Only Root Has UID 0 -If any account other than root has a UID of 0, this misconfiguration should -be investigated and the accounts other than root should be removed or have -their UID changed. -
-If the account is associated with system commands or applications the UID -should be changed to one greater than "0" but less than "1000." -Otherwise assign a UID greater than "1000" that has not already been -assigned. - 		-An account has root authority if it has a UID of 0. Multiple accounts -with a UID of 0 afford more opportunity for potential intruders to -guess a password for a privileged account. Proper configuration of -sudo is recommended to afford multiple system administrators -access to root privileges in an accountable manner. -
3.1.1
3.1.5		Restrict Serial Port Root Logins -To restrict root logins on serial ports, -ensure lines of this form do not appear in /etc/securetty: -
ttyS0
-ttyS1
- 		-Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the systems -using the root account. -
3.1.1
3.4.5		Require Authentication for Emergency Systemd Target -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. - 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. -
3.1.1
3.1.5		Disable SSH Root Login -The root user should never be allowed to login to a -system directly over a network. -To disable root login via SSH, add or correct the following line in - - -/etc/ssh/sshd_config: - -
PermitRootLogin no
- 		-Even though the communications channel may be encrypted, an additional layer of -security is gained by extending the policy of not logging directly on as root. -In addition, logging in with a user-specific account provides individual -accountability of actions performed on the system and also helps to minimize -direct attack attempts on root's password. -
3.1.1
3.1.5		Prevent Login to Accounts With Empty Password3.1.1Disable GDM Automatic Login -If an account is configured for password authentication -but does not have an assigned password, it may be possible to log -into the account without authentication. Remove any instances of the -nullok in - -/etc/pam.d/system-auth - -to prevent logins with empty passwords. -Note that this rule is not applicable for systems running within a -container. Having user with empty password within a container is not -considered a risk, because it should not be possible to directly login into -a container anyway. +The GNOME Display Manager (GDM) can allow users to automatically login without +user interaction or credentials. User should always be required to authenticate themselves +to the system that they are authorized to use. To disable user ability to automatically +login to the system, set the AutomaticLoginEnable to false in the +[daemon] section in /etc/gdm/custom.conf. For example: +
[daemon]
+AutomaticLoginEnable=false
 -If an account has an empty password, anyone could log in and -run commands with the privileges of that account. Accounts with -empty passwords should never be used in operational environments. +Failure to restrict system access to authenticated users negatively impacts operating +system security.
3.1.1Disable GDM Automatic Login -The GNOME Display Manager (GDM) can allow users to automatically login without -user interaction or credentials. User should always be required to authenticate themselves -to the system that they are authorized to use. To disable user ability to automatically -login to the system, set the AutomaticLoginEnable to false in the -[daemon] section in /etc/gdm/custom.conf. For example: -
[daemon]
-AutomaticLoginEnable=false
- 		-Failure to restrict system access to authenticated users negatively impacts operating -system security. -
3.1.1
3.1.5		 Restrict Virtual Console Root Logins @@ -242,6 +150,41 @@
3.1.1
3.4.5		Require Authentication for Emergency Systemd Target +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + 		Rationale
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter Time Through clock_settime +If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+ 		+Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. +
AU-2(d)
AU-12(c)
CM-6(a)		Record Unsuccessul Ownership Changes to Files - chownRecord Unsuccessul Permission Changes to Files - fchmodat -The audit system should collect unsuccessful file ownership change +The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon @@ -54,59 +84,35 @@ If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. -
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines: -
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
 -Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter the localtime File -If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/localtime -p wa -k audit_time_rules
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-w /etc/localtime -p wa -k audit_time_rules
-The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport and -should always be used. - 		-Arbitrary changes to the system time can be used to obfuscate -nefarious activities in log files, as well as to confuse network services that -are highly dependent upon an accurate system time (such as sshd). All changes -to the system time should be audited. -
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - setxattrRecord Events that Modify the System's Discretionary Access Controls - lsetxattr At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 The changing of file permissions could indicate that a user is attempting to @@ -117,42 +123,18 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Ensure auditd Collects Information on Exporting to Media (successful) -At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
- 		-The unauthorized exportation of data to external media could result in an information leak -where classified information, Privacy Act information, and intellectual property could be lost. An audit -trail should be created each time a filesystem is mounted to help identify and guard against information -loss. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Any Attempts to Run seunshareEnsure auditd Collects Information on the Use of Privileged Commands - su -At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
+At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
 Misuse of privileged functions, either intentionally or unintentionally by @@ -168,6 +150,51 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter Logon and Logout Events - faillock +The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +
-w /var/run/faillock -p wa -k logins
+If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +
-w /var/run/faillock -p wa -k logins
+ 		+Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. +
AU-2(d)
AU-12(c)
CM-6(a)		Ensure auditd Collects File Deletion Events by User - rename +At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the /usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -57,21 +57,6 @@
FAU_GEN.1Set hostname as computer node name in audit logs -To configure Audit daemon to use value returned by gethostname -syscall as computer node name in the audit events, -set name_format to hostname -in /etc/audit/auditd.conf. - -If option name_format is left at its default value of -none, audit events from different computers may be hard -to distinguish. -
FAU_GEN.1 Set number of records to cause an explicit flush to audit logs To configure Audit daemon to issue an explicit flush to disk command @@ -85,83 +70,82 @@
FAU_GEN.1.1.cEnsure cron Is Logging To RsyslogFAU_GEN.1Set hostname as computer node name in audit logs -Cron logging must be implemented to spot intrusions or trace -cron job status. If cron is not logging to rsyslog, it -can be implemented by adding the following to the RULES section of -/etc/rsyslog.conf: -
cron.*                                                  /var/log/cron
+To configure Audit daemon to use value returned by gethostname +syscall as computer node name in the audit events, +set name_format to hostname +in /etc/audit/auditd.conf. 		-Cron logging can be used to trace the successful or unsuccessful execution -of cron jobs. It can also be used to spot intrusions into the use of the cron -facility by unauthorized and malicious users. +If option name_format is left at its default value of +none, audit events from different computers may be hard +to distinguish.
FAU_GEN.1.1.cRecord Events that Modify the System's Discretionary Access Controls - setxattrRecord Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group -At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured +The audit system should collect write events to /etc/group file for all group and root. +If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix +startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to +utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
 -The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. +Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise.
FAU_GEN.1.1.cRecord Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowRecord Events that Modify the System's Discretionary Access Controls - lsetxattr -The audit system should collect write events to /etc/gshadow file for all users and root. -If the auditd daemon is configured +At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix +startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to +utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
 -Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. -Auditing these events could serve as evidence of potential system compromise. +The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users.
FAU_GEN.1.1.cRecord Any Attempts to Run seunshareEnsure auditd Collects Information on the Use of Privileged Commands - su -At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
+At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
 Misuse of privileged functions, either intentionally or unintentionally by @@ -178,132 +162,64 @@
FAU_GEN.1.1.cRecord Events that Modify the System's Discretionary Access Controls - lremovexattr -At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
- 		-The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. -
FAU_GEN.1.1.cRecord Events that Modify the System's Discretionary Access Controls - fremovexattrRecord Attempts to Alter Logon and Logout Events - faillock -At a minimum, the audit system should collect file permission -changes for all users and root. -

-If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -59,6 +59,34 @@
Req-6.2Ensure gpgcheck Enabled In Main yum Configuration +The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
+ 		+Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. +
+Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +
Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). +
Req-6.2 Ensure gpgcheck Enabled for All yum Package Repositories To ensure signature checking is not disabled for @@ -99,34 +127,6 @@
Req-6.2Ensure gpgcheck Enabled In Main yum Configuration -The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
- 		-Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the -software has not been tampered with and that it has been provided by a -trusted vendor. -
-Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. -
Verifying the authenticity of the software prior to installation -validates the integrity of the patch or upgrade received from a vendor. -This ensures the software has not been tampered with and that it has been -provided by a trusted vendor. Self-signed certificates are disallowed by -this requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA). -
Req-6.2 Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages @@ -156,14 +156,14 @@
Req-7.1Verify /boot/grub2/grub.cfg User OwnershipVerify the UEFI Boot Loader grub.cfg User Ownership -The file /boot/grub2/grub.cfg should +The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
Only root should be able to modify important boot parameters. @@ -171,18 +171,17 @@
Req-7.1Verify /boot/grub2/grub.cfg Group OwnershipVerify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters.
Req-7.1Verify the UEFI Boot Loader grub.cfg User OwnershipVerify /boot/grub2/grub.cfg Group Ownership -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
 -Only root should be able to modify important boot parameters. +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway.
Req-8.1.8Ensure Users Cannot Change GNOME3 Screensaver Idle ActivationEnable GNOME3 Screensaver Idle Activation -If not already configured, ensure that users cannot change GNOME3 screensaver lock settings -by adding 
/org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings. +To activate the screensaver in the GNOME3 desktop after a period of inactivity, +add or set idle-activation-enabled to true in +/etc/dconf/db/local.d/00-security-settings. For example: +
[org/gnome/desktop/screensaver]
+idle-activation-enabled=true
+Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update. 		-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity -of the information system but does not want to logout because of the temporary nature of the absense. +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate +physical vicinity of the information system but does not logout because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, +GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the +session lock. +

+Enabling idle activation of the screensaver ensures the screensaver will +be activated after the idle delay. Applications requiring continuous, +real-time screen display (such as network management products) require the +login session does not have administrator rights and the display station is located in a +controlled-access area.
Req-8.1.8Enable GNOME3 Screensaver Lock After Idle PeriodSet SSH Idle Timeout Interval +SSH allows administrators to set an idle timeout interval. After this interval +has passed, the idle user will be automatically logged out. +

+To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as +follows: +
ClientAliveInterval 300
+

+The timeout interval is given in seconds. For example, have a timeout +of 10 minutes, set interval to 600. +

+If a shorter timeout has already been set for the login shell, that value will +preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that +some processes may stop SSH from correctly detecting that the user is idle. + 		+Terminating an idle ssh session within a short time period reduces the window of /usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -43,24 +43,6 @@
BP28(R1)Uninstall talk Package -The talk package contains the client program for the -Internet talk protocol, which allows the user to chat with other users on -different systems. Talk is a communication program which copies lines from one -terminal to the terminal of another user. -The talk package can be removed with the following command: -
-$ sudo yum erase talk
- 		-The talk software presents a security risk as it uses unencrypted protocols -for communications. Removing the talk package decreases the -risk of the accidental (or intentional) activation of talk client program. -
BP28(R1) Remove telnet Clients The telnet client allows users to start connections to other systems via @@ -75,99 +57,107 @@
BP28(R1)Uninstall xinetd PackageRemove tftp Daemon -The xinetd package can be removed with the following command: -
-$ sudo yum erase xinetd
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, +typically used to automatically transfer configuration or boot files between systems. +TFTP does not support authentication and can be easily hacked. The package +tftp is a client program that allows for connections to a tftp server. 		-Removing the xinetd package decreases the risk of the -xinetd service's accidental (or intentional) activation. +It is recommended that TFTP be removed, unless there is a specific need +for TFTP (such as a boot server). In that case, use extreme caution when configuring +the services.
BP28(R1)Uninstall ypserv PackageUninstall talk-server Package -The ypserv package can be removed with the following command: -
-$ sudo yum erase ypserv
+The talk-server package can be removed with the following command: 
 $ sudo yum erase talk-server
 -The NIS service provides an unencrypted authentication service which does -not provide for the confidentiality and integrity of user passwords or the -remote session. - -Removing the ypserv package decreases the risk of the accidental -(or intentional) activation of NIS or NIS+ services. +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the talk-server package decreases the +risk of the accidental (or intentional) activation of talk services.
BP28(R1)Uninstall DHCP Server PackageUninstall talk Package -If the system does not need to act as a DHCP server, -the dhcp package can be uninstalled. - -The dhcp-server package can be removed with the following command: +The talk package contains the client program for the +Internet talk protocol, which allows the user to chat with other users on +different systems. Talk is a communication program which copies lines from one +terminal to the terminal of another user. +The talk package can be removed with the following command: 
-$ sudo yum erase dhcp-server
+$ sudo yum erase talk 		-Removing the DHCP server ensures that it cannot be easily or -accidentally reactivated and disrupt network operation. +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the talk package decreases the +risk of the accidental (or intentional) activation of talk client program.
BP28(R1)Uninstall rsh PackageUninstall Sendmail Package - -The rsh package contains the client commands - -for the rsh services +Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: +
+$ sudo yum erase sendmail
 -These legacy clients contain numerous security exposures and have -been replaced with the more secure SSH package. Even if the server is removed, -it is best to ensure the clients are also removed to prevent users from -inadvertently attempting to use these commands and therefore exposing - -their credentials. Note that removing the rsh package removes - -the clients for rsh,rcp, and rlogin. +The sendmail software was not developed with security in mind and +its design prevents it from being effectively contained by SELinux. Postfix +should be used instead.
BP28(R1)Remove tftp DaemonBP28(R1)
NT007(R03)		Uninstall the telnet server -Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, -typically used to automatically transfer configuration or boot files between systems. -TFTP does not support authentication and can be easily hacked. The package -tftp is a client program that allows for connections to a tftp server. +The telnet daemon should be uninstalled. -It is recommended that TFTP be removed, unless there is a specific need -for TFTP (such as a boot server). In that case, use extreme caution when configuring -the services. +telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.'
BP28(R1)Uninstall Sendmail PackageUninstall DHCP Server Package -Sendmail is not the default mail transfer agent and is -not installed by default. -The sendmail package can be removed with the following command: +If the system does not need to act as a DHCP server, +the dhcp package can be uninstalled. + +The dhcp-server package can be removed with the following command: 
-$ sudo yum erase sendmail
+$ sudo yum erase dhcp-server 		-The sendmail software was not developed with security in mind and -its design prevents it from being effectively contained by SELinux. Postfix -should be used instead. +Removing the DHCP server ensures that it cannot be easily or +accidentally reactivated and disrupt network operation. +
BP28(R1)Uninstall tftp-server Package +The tftp-server package can be removed with the following command: 
 $ sudo yum erase tftp-server
+ 		+Removing the tftp-server package decreases the risk of the accidental +(or intentional) activation of tftp services. +

+If TFTP is required for operational support (such as transmission of router +configurations), its use must be documented with the Information Systems +Securty Manager (ISSM), restricted to only authorized personnel, and have +access control rules established.
BP28(R1)Remove NIS Client -The Network Information Service (NIS), formerly known as Yellow Pages, -is a client-server directory service protocol used to distribute system configuration -files. The NIS client (ypbind) was used to bind a system to an NIS server -and receive the distributed configuration files. -
1.5.1Verify /boot/grub2/grub.cfg User OwnershipVerify the UEFI Boot Loader grub.cfg Permissions -The file /boot/grub2/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. +File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg
+To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
 -Only root should be able to modify important boot parameters. +Proper permissions ensure that only the root user can modify important boot +parameters.
1.5.1Verify /boot/grub2/grub.cfg Group OwnershipVerify the UEFI Boot Loader grub.cfg User Ownership +The file /boot/efi/EFI/redhat/grub.cfg should +be owned by the root user to prevent destruction +or modification of the file. + +To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+ 		+Only root should be able to modify important boot parameters. +
1.5.1Verify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters.
1.5.1Verify the UEFI Boot Loader grub.cfg Permissions -File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. - -To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
- 		-Proper permissions ensure that only the root user can modify important boot -parameters. -
1.5.1Verify the UEFI Boot Loader grub.cfg User OwnershipVerify /boot/grub2/grub.cfg Group Ownership -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
 -Only root should be able to modify important boot parameters. +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway.
1.5.2Set the UEFI Boot Loader PasswordSet Boot Loader Password in grub2 The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. @@ -784,7 +784,7 @@
1.5.2Set Boot Loader Password in grub2Set the UEFI Boot Loader Password The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. @@ -806,6 +806,23 @@
1.5.3Require Authentication for Emergency Systemd Target +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + 		+This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. +
1.5.3 Require Authentication for Single User Mode Single-user mode is intended as a system recovery @@ -823,20 +840,21 @@
1.5.3Require Authentication for Emergency Systemd Target1.6.1Disable storing core dump -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. +The Storage option in [Coredump] section +of /etc/systemd/coredump.conf +can be set to none to disable storing core dumps permanently. 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. +A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data +and is generally useful only for developers or system operators trying to +debug problems. Enabling core dumps on production systems is not recommended, +however there may be overriding operational requirements to enable advanced +debuging. Permitting temporary enablement of core dumps during such situations +should be reviewed through local needs and policy.
1.6.1Disable Core Dumps for All Users -To disable core dumps for all users, add the following line to -/etc/security/limits.conf, or to a file within the -/etc/security/limits.d/ directory: -
*     hard   core    0
- 		-A core dump includes a memory image taken at the time the operating system -terminates an application. The memory image could contain sensitive data and is generally useful -only for developers trying to debug problems. -
1.6.1 Disable core dump backtraces The ProcessSizeMax option in [Coredump] section /usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -43,6 +43,29 @@
3.1.1
3.1.5		Prevent Login to Accounts With Empty Password +If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Remove any instances of the +nullok in + +/etc/pam.d/system-auth + +to prevent logins with empty passwords. +Note that this rule is not applicable for systems running within a +container. Having user with empty password within a container is not +considered a risk, because it should not be possible to directly login into +a container anyway. + +If an account has an empty password, anyone could log in and +run commands with the privileges of that account. Accounts with +empty passwords should never be used in operational environments. +
3.1.1
3.1.5		 Disable SSH Access via Empty Passwords Disallow SSH login with empty passwords. @@ -67,118 +90,20 @@
3.1.1
3.4.5		Require Authentication for Single User Mode -Single-user mode is intended as a system recovery -method, providing a single user root access to the system by -providing a boot option at startup. By default, no authentication -is performed if single-user mode is selected. -

-By default, single-user mode is protected by requiring a password and is set -in /usr/lib/systemd/system/rescue.service. - 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. -
3.1.1
3.1.5		Verify Only Root Has UID 0 -If any account other than root has a UID of 0, this misconfiguration should -be investigated and the accounts other than root should be removed or have -their UID changed. -
-If the account is associated with system commands or applications the UID -should be changed to one greater than "0" but less than "1000." -Otherwise assign a UID greater than "1000" that has not already been -assigned. - 		-An account has root authority if it has a UID of 0. Multiple accounts -with a UID of 0 afford more opportunity for potential intruders to -guess a password for a privileged account. Proper configuration of -sudo is recommended to afford multiple system administrators -access to root privileges in an accountable manner. -
3.1.1
3.1.5		Restrict Serial Port Root Logins -To restrict root logins on serial ports, -ensure lines of this form do not appear in /etc/securetty: -
ttyS0
-ttyS1
- 		-Preventing direct root login to serial port interfaces -helps ensure accountability for actions taken on the systems -using the root account. -
3.1.1
3.4.5		Require Authentication for Emergency Systemd Target -Emergency mode is intended as a system recovery -method, providing a single user root access to the system -during a failed boot sequence. -

-By default, Emergency mode is protected by requiring a password and is set -in /usr/lib/systemd/system/emergency.service. - 		-This prevents attackers with physical access from trivially bypassing security -on the machine and gaining root access. Such accesses are further prevented -by configuring the bootloader password. -
3.1.1
3.1.5		Disable SSH Root Login -The root user should never be allowed to login to a -system directly over a network. -To disable root login via SSH, add or correct the following line in - - -/etc/ssh/sshd_config: - -
PermitRootLogin no
- 		-Even though the communications channel may be encrypted, an additional layer of -security is gained by extending the policy of not logging directly on as root. -In addition, logging in with a user-specific account provides individual -accountability of actions performed on the system and also helps to minimize -direct attack attempts on root's password. -
3.1.1
3.1.5		Prevent Login to Accounts With Empty Password3.1.1Disable GDM Automatic Login -If an account is configured for password authentication -but does not have an assigned password, it may be possible to log -into the account without authentication. Remove any instances of the -nullok in - -/etc/pam.d/system-auth - -to prevent logins with empty passwords. -Note that this rule is not applicable for systems running within a -container. Having user with empty password within a container is not -considered a risk, because it should not be possible to directly login into -a container anyway. +The GNOME Display Manager (GDM) can allow users to automatically login without +user interaction or credentials. User should always be required to authenticate themselves +to the system that they are authorized to use. To disable user ability to automatically +login to the system, set the AutomaticLoginEnable to false in the +[daemon] section in /etc/gdm/custom.conf. For example: +
[daemon]
+AutomaticLoginEnable=false
 -If an account has an empty password, anyone could log in and -run commands with the privileges of that account. Accounts with -empty passwords should never be used in operational environments. +Failure to restrict system access to authenticated users negatively impacts operating +system security.
3.1.1Disable GDM Automatic Login -The GNOME Display Manager (GDM) can allow users to automatically login without -user interaction or credentials. User should always be required to authenticate themselves -to the system that they are authorized to use. To disable user ability to automatically -login to the system, set the AutomaticLoginEnable to false in the -[daemon] section in /etc/gdm/custom.conf. For example: -
[daemon]
-AutomaticLoginEnable=false
- 		-Failure to restrict system access to authenticated users negatively impacts operating -system security. -
3.1.1
3.1.5		 Restrict Virtual Console Root Logins @@ -242,6 +150,41 @@
3.1.1
3.4.5		Require Authentication for Emergency Systemd Target +Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. +

+By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + 		Rationale
AU-2(d)
AU-12(c)
CM-6(a)		Record Unsuccessul Ownership Changes to Files - chown -The audit system should collect unsuccessful file ownership change -attempts for all users and root. -If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d. -If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file. -
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-If the system is 64 bit then also add the following lines: -
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
- 		-Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -these events could serve as evidence of potential system compromise. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Attempts to Alter the localtime FileRecord Attempts to Alter Time Through clock_settime If the auditd daemon is configured to use the -augenrules program to read audit rules during daemon startup (the default), -add the following line to a file with suffix .rules in the directory -/etc/audit/rules.d: -
-w /etc/localtime -p wa -k audit_time_rules
+augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: -
-w /etc/localtime -p wa -k audit_time_rules
+
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line: +
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can -be used for better reporting capability through ausearch and aureport and -should always be used. +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
 Arbitrary changes to the system time can be used to obfuscate @@ -91,148 +73,50 @@
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - setxattr -At a minimum, the audit system should collect file permission -changes for all users and root. If the auditd daemon is configured -to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
- 		-The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Ensure auditd Collects Information on Exporting to Media (successful) -At a minimum, the audit system should collect media exportation -events for all users and root. If the auditd daemon is configured to -use the augenrules program to read audit rules during daemon startup -(the default), add the following line to a file with suffix .rules in -the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as -appropriate for your system: -
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
- 		-The unauthorized exportation of data to external media could result in an information leak -where classified information, Privacy Act information, and intellectual property could be lost. An audit -trail should be created each time a filesystem is mounted to help identify and guard against information -loss. -
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)		Record Any Attempts to Run seunshare -At a minimum, the audit system should collect any execution attempt -of the seunshare command for all users and root. If the auditd -daemon is configured to use the augenrules program to read audit rules -during daemon startup (the default), add the following lines to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following lines to -/etc/audit/audit.rules file: -
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
- 		-Misuse of privileged functions, either intentionally or unintentionally by -authorized users, or by unauthorized external entities that have compromised system accounts, -is a serious and ongoing concern and can have significant adverse impacts on organizations. -Auditing the use of privileged functions is one way to detect such misuse and identify -the risk from insider and advanced persistent threats. -

-Privileged programs are subject to escalation-of-privilege attacks, -which attempt to subvert their normal role of providing some necessary but -limited capability. As such, motivation exists to monitor these programs for -unusual activity. -
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - lremovexattrRecord Unsuccessul Permission Changes to Files - fchmodat -At a minimum, the audit system should collect file permission -changes for all users and root. -

+The audit system should collect unsuccessful file permission change +attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon -startup (the default), add the following line to a file with suffix -.rules in the directory /etc/audit/rules.d: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
-

+startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl -utility to read audit rules during daemon startup, add the following line to -/etc/audit/audit.rules file: -
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod
-

-If the system is 64 bit then also add the following line: -
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
+utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+If the system is 64 bit then also add the following lines: +
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
 -The changing of file permissions could indicate that a user is attempting to -gain access to information that would otherwise be disallowed. Auditing DAC modifications -can facilitate the identification of patterns of abuse among both authorized and -unauthorized users. +Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise.
AU-2(d)
AU-12(c)
CM-6(a)		Record Events that Modify the System's Discretionary Access Controls - fremovexattrRecord Events that Modify the System's Discretionary Access Controls - lsetxattr /usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines) --- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-02-22 00:00:00.000000000 +0000 @@ -59,6 +59,34 @@
Req-6.2Ensure gpgcheck Enabled In Main yum Configuration +The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure yum to check package signatures before installing +them, ensure the following line appears in /etc/yum.conf in +the [main] section: +
gpgcheck=1
+ 		+Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. +
+Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +
Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). +
Req-6.2 Ensure gpgcheck Enabled for All yum Package Repositories To ensure signature checking is not disabled for @@ -99,34 +127,6 @@
Req-6.2Ensure gpgcheck Enabled In Main yum Configuration -The gpgcheck option controls whether -RPM packages' signatures are always checked prior to installation. -To configure yum to check package signatures before installing -them, ensure the following line appears in /etc/yum.conf in -the [main] section: -
gpgcheck=1
- 		-Changes to any software components can have significant effects on the -overall security of the operating system. This requirement ensures the -software has not been tampered with and that it has been provided by a -trusted vendor. -
-Accordingly, patches, service packs, device drivers, or operating system -components must be signed with a certificate recognized and approved by the -organization. -
Verifying the authenticity of the software prior to installation -validates the integrity of the patch or upgrade received from a vendor. -This ensures the software has not been tampered with and that it has been -provided by a trusted vendor. Self-signed certificates are disallowed by -this requirement. Certificates used to verify the software must be from an -approved Certificate Authority (CA). -
Req-6.2 Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages @@ -156,14 +156,14 @@
Req-7.1Verify /boot/grub2/grub.cfg User OwnershipVerify the UEFI Boot Loader grub.cfg User Ownership -The file /boot/grub2/grub.cfg should +The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. -To properly set the owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chown root /boot/grub2/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: +
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
Only root should be able to modify important boot parameters. @@ -171,18 +171,17 @@
Req-7.1Verify /boot/grub2/grub.cfg Group OwnershipVerify /boot/grub2/grub.cfg User Ownership The file /boot/grub2/grub.cfg should -be group-owned by the root group to prevent -destruction or modification of the file. +be owned by the root user to prevent destruction +or modification of the file. -To properly set the group owner of /boot/grub2/grub.cfg, run the command: -
$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this -file should not have any access privileges anyway. +Only root should be able to modify important boot parameters.
Req-7.1Verify the UEFI Boot Loader grub.cfg User OwnershipVerify /boot/grub2/grub.cfg Group Ownership -The file /boot/efi/EFI/redhat/grub.cfg should -be owned by the root user to prevent destruction -or modification of the file. +The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. -To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command: -
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command: +
$ sudo chgrp root /boot/grub2/grub.cfg
 -Only root should be able to modify important boot parameters. +The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway.
Req-8.1.8Ensure Users Cannot Change GNOME3 Screensaver Idle ActivationEnable GNOME3 Screensaver Idle Activation -If not already configured, ensure that users cannot change GNOME3 screensaver lock settings -by adding 
/org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings. +To activate the screensaver in the GNOME3 desktop after a period of inactivity, +add or set idle-activation-enabled to true in +/etc/dconf/db/local.d/00-security-settings. For example: +
[org/gnome/desktop/screensaver]
+idle-activation-enabled=true
+Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update. 		-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity -of the information system but does not want to logout because of the temporary nature of the absense. +A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate +physical vicinity of the information system but does not logout because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, +GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the +session lock. +

+Enabling idle activation of the screensaver ensures the screensaver will +be activated after the idle delay. Applications requiring continuous, +real-time screen display (such as network management products) require the +login session does not have administrator rights and the display station is located in a +controlled-access area.
Req-8.1.8Enable GNOME3 Screensaver Lock After Idle PeriodSet SSH Idle Timeout Interval +SSH allows administrators to set an idle timeout interval. After this interval +has passed, the idle user will be automatically logged out. +

+To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as +follows: +
ClientAliveInterval 300
+

+The timeout interval is given in seconds. For example, have a timeout +of 10 minutes, set interval to 600. +

+If a shorter timeout has already been set for the login shell, that value will +preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that +some processes may stop SSH from correctly detecting that the user is idle. + 		+Terminating an idle ssh session within a short time period reduces the window of /usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines) --- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,4 +1,4 @@ -1RHV hardening based on STIG for Red Hat Enterprise Linux 7 +1RHV hardening based on STIG for Red Hat Enterprise Linux 7 This profile contains configuration checks for Red Hat Virtualization based on the the DISA STIG for Red Hat Enterprise Linux 7. /usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines) --- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,4 +1,4 @@ -1DISA STIG for Red Hat Enterprise Linux 8 +1DISA STIG for Red Hat Enterprise Linux 8 This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R4. /usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -49397,88 +49397,70 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean - - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs - - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - - - Resolve information before writing to audit logs + + Enable the OpenSSH Service - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Disable debug-shell SystemD Service + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Disable snmpd Service + + Install cryptsetup-luks Package - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 @@ -49487,322 +49469,322 @@ ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Record Attempts to Alter the localtime File + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Add nosuid Option to /home - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify Permissions on cron.weekly + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -49400,88 +49400,70 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean - - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs - - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - - - Resolve information before writing to audit logs + + Enable the OpenSSH Service - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Disable debug-shell SystemD Service + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Disable snmpd Service + + Install cryptsetup-luks Package - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 @@ -49490,322 +49472,322 @@ ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Record Attempts to Alter the localtime File + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Add nosuid Option to /home - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify Permissions on cron.weekly + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,5 +1,5 @@ - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 7 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of @@ -56,59 +56,54 @@ - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -116,29 +111,29 @@ - + - + - + - + - + - + - + - + - + - + @@ -146,14 +141,19 @@ + + + + + - + - + @@ -161,9 +161,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -52029,2758 +52029,2752 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Remove telnet Clients - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Configure SSSD to run as user sssd - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Uninstall talk Package + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Install rear Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Certificate certificate status checking in SSSD + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set hostname as computer node name in audit logs + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Limit CPU consumption of the Perf system - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Disable snmpd Service + + Add nosuid Option to /home - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Attempts to Alter the localtime File + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -52031,2758 +52031,2752 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Remove telnet Clients - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Configure SSSD to run as user sssd - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Uninstall talk Package + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Install rear Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Certificate certificate status checking in SSSD + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set hostname as computer node name in audit logs + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Limit CPU consumption of the Perf system - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Disable snmpd Service + + Add nosuid Option to /home - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Attempts to Alter the localtime File + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,5 +1,5 @@ - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 8 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of @@ -56,14 +56,14 @@ - + - + - + - + @@ -71,14 +71,24 @@ - + - + - + - + + + + + + + + + + + @@ -86,9 +96,14 @@ - + - + + + + + + @@ -101,19 +116,19 @@ - + - + - + - + - + - + @@ -121,9 +136,9 @@ - + - + @@ -131,24 +146,9 @@ - - - - - - - - - - - - - - - - + - + @@ -156,9 +156,9 @@ - + - + @@ -166,9 +166,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -48475,406 +48475,400 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable debug-shell SystemD Service + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Uninstall talk Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Install rear Package + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Certificate certificate status checking in SSSD + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Set hostname as computer node name in audit logs + + Limit CPU consumption of the Perf system - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Add nosuid Option to /home - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Disable snmpd Service + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Attempts to Alter the localtime File + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Disable the polipo_session_users SELinux Boolean - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-sebool_polipo_session_users_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Disable the entropyd_use_audio SELinux Boolean - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -48477,406 +48477,400 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable debug-shell SystemD Service + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Uninstall talk Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Install rear Package + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Certificate certificate status checking in SSSD + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Set hostname as computer node name in audit logs + + Limit CPU consumption of the Perf system - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Add nosuid Option to /home - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Disable snmpd Service + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Attempts to Alter the localtime File + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Disable the polipo_session_users SELinux Boolean - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-sebool_polipo_session_users_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Disable the entropyd_use_audio SELinux Boolean - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,5 +1,5 @@ - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 9 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 9. It is a rendering of @@ -56,34 +56,34 @@ - + - + - + - + - + - + - + - + - + - + - + - + @@ -91,49 +91,49 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -141,9 +141,9 @@ - + - + @@ -151,9 +151,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -35470,1570 +35470,1558 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable debug-shell SystemD Service + + Configure SSSD to run as user sssd - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Install rear Package + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Certificate certificate status checking in SSSD + + Install cryptsetup-luks Package - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Attempts to Alter the localtime File + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Install the tmux Package - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -35470,1570 +35470,1558 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable debug-shell SystemD Service + + Configure SSSD to run as user sssd - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Install rear Package + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Certificate certificate status checking in SSSD + + Install cryptsetup-luks Package - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Attempts to Alter the localtime File + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Install the tmux Package - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon /usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,1570 +7,1558 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable debug-shell SystemD Service + + Configure SSSD to run as user sssd - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Install rear Package + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Certificate certificate status checking in SSSD + + Install cryptsetup-luks Package - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Attempts to Alter the localtime File + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Install the tmux Package - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon /usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Fedora This guide presents a catalog of security-relevant configuration settings for Fedora. It is a rendering of @@ -43,19 +43,14 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - - - - - - + - + @@ -63,24 +58,24 @@ - + - + - + - + - + - + - + - + @@ -88,34 +83,39 @@ - + - + - + - + - + - + - + - + - + - + - + - + + + + + + @@ -123,14 +123,14 @@ - + - + - + - + @@ -138,9 +138,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -36965,1342 +36965,1342 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package + + Enable the OpenSSH Service - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Disable debug-shell SystemD Service + + Remove telnet Clients - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Uninstall talk Package + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Install rear Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Install cryptsetup-luks Package - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Limit CPU consumption of the Perf system - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Set hostname as computer node name in audit logs + + Add nosuid Option to /home - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Record Attempts to Alter the localtime File + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Add nosuid Option to /home + + Remove the X Windows Package Group - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Record Unsuccessul Permission Changes to Files - fchmodat /usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -36967,1342 +36967,1342 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package + + Enable the OpenSSH Service - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Disable debug-shell SystemD Service + + Remove telnet Clients - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Uninstall talk Package + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Install rear Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Install cryptsetup-luks Package - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Limit CPU consumption of the Perf system - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Set hostname as computer node name in audit logs + + Add nosuid Option to /home - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Record Attempts to Alter the localtime File + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Add nosuid Option to /home + + Remove the X Windows Package Group - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Record Unsuccessul Permission Changes to Files - fchmodat /usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,1342 +7,1342 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package + + Enable the OpenSSH Service - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Disable debug-shell SystemD Service + + Remove telnet Clients - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Uninstall talk Package + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Install rear Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Install cryptsetup-luks Package - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Limit CPU consumption of the Perf system - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Set hostname as computer node name in audit logs + + Add nosuid Option to /home - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Record Attempts to Alter the localtime File + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - A remote time server for Chrony is configured + + Configure GNOME3 DConf User Profile - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Enable cron Service + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Add nosuid Option to /home + + Remove the X Windows Package Group - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Record Unsuccessul Permission Changes to Files - fchmodat /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Oracle Linux 7 This guide presents a catalog of security-relevant configuration settings for Oracle Linux 7. It is a rendering of @@ -43,9 +43,9 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + @@ -53,29 +53,34 @@ - + - + - + - + - + - + - + - + - + - + + + + + + @@ -88,19 +93,19 @@ - + - + - + - + - + - + @@ -108,24 +113,19 @@ - - - - - - + - + - + - + @@ -133,9 +133,9 @@ - + - + @@ -143,9 +143,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -39565,976 +39565,964 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs + + Enable the OpenSSH Service - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Resolve information before writing to audit logs + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Ensure /var Located On Separate Partition + + Configure SSSD to run as user sssd - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Certificate certificate status checking in SSSD + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set hostname as computer node name in audit logs + + Limit CPU consumption of the Perf system - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Add nosuid Option to /home - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Record Attempts to Alter the localtime File + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - A remote time server for Chrony is configured + + Install the tmux Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Enable cron Service + + Verify File Hashes with RPM - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Add nosuid Option to /home /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -39567,976 +39567,964 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs + + Enable the OpenSSH Service - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Resolve information before writing to audit logs + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Ensure /var Located On Separate Partition + + Configure SSSD to run as user sssd - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Certificate certificate status checking in SSSD + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set hostname as computer node name in audit logs + + Limit CPU consumption of the Perf system - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Add nosuid Option to /home - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Record Attempts to Alter the localtime File + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - A remote time server for Chrony is configured + + Install the tmux Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Enable cron Service + + Verify File Hashes with RPM - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Add nosuid Option to /home /usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,976 +7,964 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs + + Enable the OpenSSH Service - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Resolve information before writing to audit logs + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Ensure /var Located On Separate Partition + + Configure SSSD to run as user sssd - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Certificate certificate status checking in SSSD + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set hostname as computer node name in audit logs + + Limit CPU consumption of the Perf system - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Add nosuid Option to /home - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Record Attempts to Alter the localtime File + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - A remote time server for Chrony is configured + + Install the tmux Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Enable cron Service + + Verify File Hashes with RPM - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Add nosuid Option to /home /usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Oracle Linux 8 This guide presents a catalog of security-relevant configuration settings for Oracle Linux 8. It is a rendering of @@ -43,9 +43,9 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + @@ -53,9 +53,9 @@ - + - + @@ -63,54 +63,54 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -118,14 +118,14 @@ - + - + - + - + @@ -133,9 +133,9 @@ - + - + @@ -143,9 +143,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -29741,160 +29741,142 @@ 2022-02-22T00:00:00 - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure all zIPL boot entries are BLS compliant - - ocil:ssg-zipl_bls_entries_only_action:testaction:1 - - - - Disable debug-shell SystemD Service + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Ensure /var Located On Separate Partition + + Configure SSSD to run as user sssd - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Extend Audit Backlog Limit for the Audit Daemon + + Add nosuid Option to /home - ocil:ssg-coreos_audit_backlog_limit_kernel_argument_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure all zIPL boot entries are BLS compliant - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-zipl_bls_entries_only_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - A remote time server for Chrony is configured + + Install the tmux Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Add nosuid Option to /home + + Install the OpenSSH Server Package - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Harden OpenSSL Crypto Policy + + Record Unsuccessul Permission Changes to Files - fchmodat - ocil:ssg-harden_openssl_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure Libreswan to use System Crypto Policy - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Ensure SELinux State is Enforcing + + Add nosuid Option to /tmp - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Record Attempts to Alter Logon and Logout Events - faillock /usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -29741,160 +29741,142 @@ 2022-02-22T00:00:00 - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure all zIPL boot entries are BLS compliant - - ocil:ssg-zipl_bls_entries_only_action:testaction:1 - - - - Disable debug-shell SystemD Service + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Ensure /var Located On Separate Partition + + Configure SSSD to run as user sssd - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Extend Audit Backlog Limit for the Audit Daemon + + Add nosuid Option to /home - ocil:ssg-coreos_audit_backlog_limit_kernel_argument_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure all zIPL boot entries are BLS compliant - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-zipl_bls_entries_only_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - A remote time server for Chrony is configured + + Install the tmux Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Add nosuid Option to /home + + Install the OpenSSH Server Package - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Harden OpenSSL Crypto Policy + + Record Unsuccessul Permission Changes to Files - fchmodat - ocil:ssg-harden_openssl_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure Libreswan to use System Crypto Policy - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Ensure SELinux State is Enforcing + + Add nosuid Option to /tmp - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Record Attempts to Alter Logon and Logout Events - faillock /usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,160 +7,142 @@ 2022-02-22T00:00:00 - - Configure SSH to use System Crypto Policy - - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 - - - - Resolve information before writing to audit logs - - ocil:ssg-auditd_log_format_action:testaction:1 - - - - Ensure all zIPL boot entries are BLS compliant - - ocil:ssg-zipl_bls_entries_only_action:testaction:1 - - - - Disable debug-shell SystemD Service + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Ensure /var Located On Separate Partition + + Configure SSSD to run as user sssd - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Extend Audit Backlog Limit for the Audit Daemon + + Add nosuid Option to /home - ocil:ssg-coreos_audit_backlog_limit_kernel_argument_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Authorize Human Interface Devices and USB hubs in USBGuard daemon - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure all zIPL boot entries are BLS compliant - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-zipl_bls_entries_only_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - A remote time server for Chrony is configured + + Install the tmux Package - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Add nosuid Option to /home + + Install the OpenSSH Server Package - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Harden OpenSSL Crypto Policy + + Record Unsuccessul Permission Changes to Files - fchmodat - ocil:ssg-harden_openssl_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure Libreswan to use System Crypto Policy - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Ensure SELinux State is Enforcing + + Add nosuid Option to /tmp - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Record Attempts to Alter Logon and Logout Events - faillock /usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of @@ -48,19 +48,24 @@ + + + + + - + - + - + - + @@ -73,44 +78,39 @@ - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -118,9 +118,9 @@ - + - + @@ -128,9 +128,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -50257,88 +50257,70 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean - - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs - - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - - - Resolve information before writing to audit logs + + Enable the OpenSSH Service - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Disable debug-shell SystemD Service + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Disable snmpd Service + + Install cryptsetup-luks Package - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 @@ -50347,322 +50329,322 @@ ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Record Attempts to Alter the localtime File + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Add nosuid Option to /home - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify Permissions on cron.weekly + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -50260,88 +50260,70 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean - - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs - - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - - - Resolve information before writing to audit logs + + Enable the OpenSSH Service - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Disable debug-shell SystemD Service + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Disable snmpd Service + + Install cryptsetup-luks Package - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 @@ -50350,322 +50332,322 @@ ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Record Attempts to Alter the localtime File + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Add nosuid Option to /home - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify Permissions on cron.weekly + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,88 +7,70 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean - - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs - - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - - - Resolve information before writing to audit logs + + Enable the OpenSSH Service - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Disable debug-shell SystemD Service + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Disable snmpd Service + + Install cryptsetup-luks Package - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 @@ -97,322 +79,322 @@ ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Record Attempts to Alter the localtime File + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Add nosuid Option to /home - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify Permissions on cron.weekly + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 7 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of @@ -48,59 +48,54 @@ - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -108,29 +103,29 @@ - + - + - + - + - + - + - + - + - + - + @@ -138,14 +133,19 @@ + + + + + - + - + @@ -153,9 +153,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -52869,2758 +52869,2752 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Remove telnet Clients - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Configure SSSD to run as user sssd - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Uninstall talk Package + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Install rear Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Certificate certificate status checking in SSSD + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set hostname as computer node name in audit logs + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Limit CPU consumption of the Perf system - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Disable snmpd Service + + Add nosuid Option to /home - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Attempts to Alter the localtime File + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -52871,2758 +52871,2752 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Remove telnet Clients - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Configure SSSD to run as user sssd - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Uninstall talk Package + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Install rear Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Certificate certificate status checking in SSSD + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set hostname as computer node name in audit logs + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Limit CPU consumption of the Perf system - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Disable snmpd Service + + Add nosuid Option to /home - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Attempts to Alter the localtime File + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,2758 +7,2752 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Remove telnet Clients - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Configure SSSD to run as user sssd - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 - - Uninstall talk Package + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Install rear Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Certificate certificate status checking in SSSD + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set hostname as computer node name in audit logs + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Limit CPU consumption of the Perf system - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Disable snmpd Service + + Add nosuid Option to /home - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Attempts to Alter the localtime File + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 8 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of @@ -48,14 +48,14 @@ - + - + - + - + @@ -63,14 +63,24 @@ - + - + - + - + + + + + + + + + + + @@ -78,9 +88,14 @@ - + - + + + + + + @@ -93,19 +108,19 @@ - + - + - + - + - + - + @@ -113,9 +128,9 @@ - + - + @@ -123,24 +138,9 @@ - - - - - - - - - - - - - - - - + - + @@ -148,9 +148,9 @@ - + - + @@ -158,9 +158,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -49162,406 +49162,400 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable debug-shell SystemD Service + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Uninstall talk Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Install rear Package + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Certificate certificate status checking in SSSD + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Set hostname as computer node name in audit logs + + Limit CPU consumption of the Perf system - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Add nosuid Option to /home - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Disable snmpd Service + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Attempts to Alter the localtime File + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Disable the polipo_session_users SELinux Boolean - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-sebool_polipo_session_users_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Disable the entropyd_use_audio SELinux Boolean - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -49164,406 +49164,400 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable debug-shell SystemD Service + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Uninstall talk Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Install rear Package + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Certificate certificate status checking in SSSD + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Set hostname as computer node name in audit logs + + Limit CPU consumption of the Perf system - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Add nosuid Option to /home - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Disable snmpd Service + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Attempts to Alter the localtime File + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Disable the polipo_session_users SELinux Boolean - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-sebool_polipo_session_users_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Disable the entropyd_use_audio SELinux Boolean - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,406 +7,400 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean + + Enable the OpenSSH Service - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Remove telnet Clients - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Resolve information before writing to audit logs + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure all zIPL boot entries are BLS compliant + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-zipl_bls_entries_only_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Disable debug-shell SystemD Service + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Uninstall talk Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Install rear Package + + Enable the GNOME3 Screen Locking On Smartcard Removal - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Certificate certificate status checking in SSSD + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sssd_certificate_verification_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the nagios_run_sudo SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Set hostname as computer node name in audit logs + + Limit CPU consumption of the Perf system - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Add nosuid Option to /home - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Disable snmpd Service + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Ensure zIPL bootmap is up to date + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Disable the nagios_run_sudo SELinux Boolean + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Record Attempts to Alter the localtime File + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Disable the polipo_session_users SELinux Boolean - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-sebool_polipo_session_users_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Disable the entropyd_use_audio SELinux Boolean - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sebool_entropyd_use_audio_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 9 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 9. It is a rendering of @@ -48,34 +48,34 @@ - + - + - + - + - + - + - + - + - + - + - + - + @@ -83,49 +83,49 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -133,9 +133,9 @@ - + - + @@ -143,9 +143,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhosp10-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -4135,18 +4135,6 @@ 2022-02-22T00:00:00 - - Set Maximum Number of Failed Authentication Attempts - - ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - - - - Set Maximum Inactivity Period - - ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -4159,16 +4147,22 @@ ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1 - - Check-Block-02: Are strict permissions set for cinder config files? + + Set Maximum Number of Failed Authentication Attempts - ocil:ssg-cinder_conf_file_perms_action:testaction:1 + ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - + Set Maximum Inactivity Period - ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 + + + + Check-Block-02: Are strict permissions set for cinder config files? + + ocil:ssg-cinder_conf_file_perms_action:testaction:1 @@ -4183,9 +4177,15 @@ ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1 + + Set Maximum Inactivity Period + + ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + + - + PASS @@ -4193,7 +4193,7 @@ FAIL - + PASS @@ -4201,7 +4201,7 @@ FAIL - + PASS @@ -4209,7 +4209,7 @@ FAIL - + PASS @@ -4225,7 +4225,7 @@ FAIL - + PASS @@ -4233,7 +4233,7 @@ FAIL - + PASS @@ -4241,7 +4241,7 @@ FAIL - + PASS @@ -4251,6 +4251,24 @@ + + Run the following command to see what the account lockout +duration is: + +$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +lockout_duration= + Is it the case that lockout_duration is not configured properly? + + + + Check the file /etc/openstack-dashboard/local_settings and ensure the +following line appears: +CSRF_COOKIE_SECURE True + Is it the case that CSRF_COOKIE_SECURE is set to False? + + Run the following command to see what the maximum authentication attempts is: @@ -4273,24 +4291,6 @@ Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout -duration is: - -$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -lockout_duration= - Is it the case that lockout_duration is not configured properly? - - - - Check the file /etc/openstack-dashboard/local_settings and ensure the -following line appears: -CSRF_COOKIE_SECURE True - Is it the case that CSRF_COOKIE_SECURE is set to False? - - To check the permissions of /etc/cinder/*.conf, run the command: @@ -4300,17 +4300,6 @@ Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----? - - Run the following command to see what the maximum authentication -attempts is: - -$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -disable_user_account_days_inactive = - Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout duration is: @@ -4333,12 +4322,23 @@ Is it the case that lockout_failure_attempts is commented out or not configured properly? + + Run the following command to see what the maximum authentication +attempts is: + +$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +disable_user_account_days_inactive = /usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhosp10-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -4135,18 +4135,6 @@ 2022-02-22T00:00:00 - - Set Maximum Number of Failed Authentication Attempts - - ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - - - - Set Maximum Inactivity Period - - ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -4159,16 +4147,22 @@ ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1 - - Check-Block-02: Are strict permissions set for cinder config files? + + Set Maximum Number of Failed Authentication Attempts - ocil:ssg-cinder_conf_file_perms_action:testaction:1 + ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - + Set Maximum Inactivity Period - ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 + + + + Check-Block-02: Are strict permissions set for cinder config files? + + ocil:ssg-cinder_conf_file_perms_action:testaction:1 @@ -4183,9 +4177,15 @@ ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1 + + Set Maximum Inactivity Period + + ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + + - + PASS @@ -4193,7 +4193,7 @@ FAIL - + PASS @@ -4201,7 +4201,7 @@ FAIL - + PASS @@ -4209,7 +4209,7 @@ FAIL - + PASS @@ -4225,7 +4225,7 @@ FAIL - + PASS @@ -4233,7 +4233,7 @@ FAIL - + PASS @@ -4241,7 +4241,7 @@ FAIL - + PASS @@ -4251,6 +4251,24 @@ + + Run the following command to see what the account lockout +duration is: + +$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +lockout_duration= + Is it the case that lockout_duration is not configured properly? + + + + Check the file /etc/openstack-dashboard/local_settings and ensure the +following line appears: +CSRF_COOKIE_SECURE True + Is it the case that CSRF_COOKIE_SECURE is set to False? + + Run the following command to see what the maximum authentication attempts is: @@ -4273,24 +4291,6 @@ Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout -duration is: - -$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -lockout_duration= - Is it the case that lockout_duration is not configured properly? - - - - Check the file /etc/openstack-dashboard/local_settings and ensure the -following line appears: -CSRF_COOKIE_SECURE True - Is it the case that CSRF_COOKIE_SECURE is set to False? - - To check the permissions of /etc/cinder/*.conf, run the command: @@ -4300,17 +4300,6 @@ Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----? - - Run the following command to see what the maximum authentication -attempts is: - -$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -disable_user_account_days_inactive = - Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout duration is: @@ -4333,12 +4322,23 @@ Is it the case that lockout_failure_attempts is commented out or not configured properly? + + Run the following command to see what the maximum authentication +attempts is: + +$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +disable_user_account_days_inactive = /usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhosp10-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,18 +7,6 @@ 2022-02-22T00:00:00 - - Set Maximum Number of Failed Authentication Attempts - - ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - - - - Set Maximum Inactivity Period - - ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -31,16 +19,22 @@ ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1 - - Check-Block-02: Are strict permissions set for cinder config files? + + Set Maximum Number of Failed Authentication Attempts - ocil:ssg-cinder_conf_file_perms_action:testaction:1 + ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - + Set Maximum Inactivity Period - ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 + + + + Check-Block-02: Are strict permissions set for cinder config files? + + ocil:ssg-cinder_conf_file_perms_action:testaction:1 @@ -55,9 +49,15 @@ ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1 + + Set Maximum Inactivity Period + + ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + + - + PASS @@ -65,7 +65,7 @@ FAIL - + PASS @@ -73,7 +73,7 @@ FAIL - + PASS @@ -81,7 +81,7 @@ FAIL - + PASS @@ -97,7 +97,7 @@ FAIL - + PASS @@ -105,7 +105,7 @@ FAIL - + PASS @@ -113,7 +113,7 @@ FAIL - + PASS @@ -123,6 +123,24 @@ + + Run the following command to see what the account lockout +duration is: + +$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +lockout_duration= + Is it the case that lockout_duration is not configured properly? + + + + Check the file /etc/openstack-dashboard/local_settings and ensure the +following line appears: +CSRF_COOKIE_SECURE True + Is it the case that CSRF_COOKIE_SECURE is set to False? + + Run the following command to see what the maximum authentication attempts is: @@ -145,24 +163,6 @@ Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout -duration is: - -$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -lockout_duration= - Is it the case that lockout_duration is not configured properly? - - - - Check the file /etc/openstack-dashboard/local_settings and ensure the -following line appears: -CSRF_COOKIE_SECURE True - Is it the case that CSRF_COOKIE_SECURE is set to False? - - To check the permissions of /etc/cinder/*.conf, run the command: @@ -172,17 +172,6 @@ Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----? - - Run the following command to see what the maximum authentication -attempts is: - -$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -disable_user_account_days_inactive = - Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout duration is: @@ -205,5 +194,16 @@ Is it the case that lockout_failure_attempts is commented out or not configured properly? + + Run the following command to see what the maximum authentication +attempts is: + +$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +disable_user_account_days_inactive = /usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhosp10-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Red Hat OpenStack Platform 10 This guide presents a catalog of security-relevant configuration settings for Red Hat OpenStack Platform 10. It is a rendering of /usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhosp13-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -4137,18 +4137,6 @@ 2022-02-22T00:00:00 - - Set Maximum Number of Failed Authentication Attempts - - ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - - - - Set Maximum Inactivity Period - - ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -4161,6 +4149,18 @@ ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1 + + Set Maximum Number of Failed Authentication Attempts + + ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 + + + + Set Maximum Inactivity Period + + ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 + + Cross-Site Request Forgery Prevention: Enable CSRF_COOKIE_SECURE (containerized deployments) @@ -4173,12 +4173,6 @@ ocil:ssg-cinder_conf_file_perms_action:testaction:1 - - Set Maximum Inactivity Period - - ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -4191,9 +4185,15 @@ ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1 + + Set Maximum Inactivity Period + + ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + + - + PASS @@ -4201,7 +4201,7 @@ FAIL - + PASS @@ -4209,7 +4209,7 @@ FAIL - + PASS @@ -4217,7 +4217,7 @@ FAIL - + PASS @@ -4241,7 +4241,7 @@ FAIL - + PASS @@ -4249,7 +4249,7 @@ FAIL - + PASS @@ -4257,7 +4257,7 @@ FAIL - + PASS @@ -4267,6 +4267,24 @@ + + Run the following command to see what the account lockout +duration is: + +$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +lockout_duration= + Is it the case that lockout_duration is not configured properly? + + + + Check the file /etc/openstack-dashboard/local_settings and ensure the +following line appears: +CSRF_COOKIE_SECURE True + Is it the case that CSRF_COOKIE_SECURE is set to False? + + Run the following command to see what the maximum authentication attempts is: @@ -4289,24 +4307,6 @@ Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout -duration is: - -$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -lockout_duration= - Is it the case that lockout_duration is not configured properly? - - - - Check the file /etc/openstack-dashboard/local_settings and ensure the -following line appears: -CSRF_COOKIE_SECURE True - Is it the case that CSRF_COOKIE_SECURE is set to False? - - Check the file /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings and ensure the following line appears: @@ -4323,17 +4323,6 @@ Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----? - - Run the following command to see what the maximum authentication -attempts is: - -$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -disable_user_account_days_inactive = - Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout duration is: @@ -4356,12 +4345,23 @@ Is it the case that lockout_failure_attempts is commented out or not configured properly? + + Run the following command to see what the maximum authentication +attempts is: + /usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhosp13-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -4137,18 +4137,6 @@ 2022-02-22T00:00:00 - - Set Maximum Number of Failed Authentication Attempts - - ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - - - - Set Maximum Inactivity Period - - ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -4161,6 +4149,18 @@ ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1 + + Set Maximum Number of Failed Authentication Attempts + + ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 + + + + Set Maximum Inactivity Period + + ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 + + Cross-Site Request Forgery Prevention: Enable CSRF_COOKIE_SECURE (containerized deployments) @@ -4173,12 +4173,6 @@ ocil:ssg-cinder_conf_file_perms_action:testaction:1 - - Set Maximum Inactivity Period - - ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -4191,9 +4185,15 @@ ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1 + + Set Maximum Inactivity Period + + ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + + - + PASS @@ -4201,7 +4201,7 @@ FAIL - + PASS @@ -4209,7 +4209,7 @@ FAIL - + PASS @@ -4217,7 +4217,7 @@ FAIL - + PASS @@ -4241,7 +4241,7 @@ FAIL - + PASS @@ -4249,7 +4249,7 @@ FAIL - + PASS @@ -4257,7 +4257,7 @@ FAIL - + PASS @@ -4267,6 +4267,24 @@ + + Run the following command to see what the account lockout +duration is: + +$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +lockout_duration= + Is it the case that lockout_duration is not configured properly? + + + + Check the file /etc/openstack-dashboard/local_settings and ensure the +following line appears: +CSRF_COOKIE_SECURE True + Is it the case that CSRF_COOKIE_SECURE is set to False? + + Run the following command to see what the maximum authentication attempts is: @@ -4289,24 +4307,6 @@ Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout -duration is: - -$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -lockout_duration= - Is it the case that lockout_duration is not configured properly? - - - - Check the file /etc/openstack-dashboard/local_settings and ensure the -following line appears: -CSRF_COOKIE_SECURE True - Is it the case that CSRF_COOKIE_SECURE is set to False? - - Check the file /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings and ensure the following line appears: @@ -4323,17 +4323,6 @@ Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----? - - Run the following command to see what the maximum authentication -attempts is: - -$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -disable_user_account_days_inactive = - Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout duration is: @@ -4356,12 +4345,23 @@ Is it the case that lockout_failure_attempts is commented out or not configured properly? + + Run the following command to see what the maximum authentication +attempts is: + /usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhosp13-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,18 +7,6 @@ 2022-02-22T00:00:00 - - Set Maximum Number of Failed Authentication Attempts - - ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 - - - - Set Maximum Inactivity Period - - ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -31,6 +19,18 @@ ocil:ssg-horizon_csrf_cookie_secure_action:testaction:1 + + Set Maximum Number of Failed Authentication Attempts + + ocil:ssg-keystone_lockout_failure_attempts_action:testaction:1 + + + + Set Maximum Inactivity Period + + ocil:ssg-keystone_disable_user_account_days_inactive_action:testaction:1 + + Cross-Site Request Forgery Prevention: Enable CSRF_COOKIE_SECURE (containerized deployments) @@ -43,12 +43,6 @@ ocil:ssg-cinder_conf_file_perms_action:testaction:1 - - Set Maximum Inactivity Period - - ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 - - Set Account Lockout Duration @@ -61,9 +55,15 @@ ocil:ssg-container_keystone_lockout_failure_attempts_action:testaction:1 + + Set Maximum Inactivity Period + + ocil:ssg-container_keystone_disable_user_account_days_inactive_action:testaction:1 + + - + PASS @@ -71,7 +71,7 @@ FAIL - + PASS @@ -79,7 +79,7 @@ FAIL - + PASS @@ -87,7 +87,7 @@ FAIL - + PASS @@ -111,7 +111,7 @@ FAIL - + PASS @@ -119,7 +119,7 @@ FAIL - + PASS @@ -127,7 +127,7 @@ FAIL - + PASS @@ -137,6 +137,24 @@ + + Run the following command to see what the account lockout +duration is: + +$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf + +If properly configured, the output should be: +lockout_duration= + Is it the case that lockout_duration is not configured properly? + + + + Check the file /etc/openstack-dashboard/local_settings and ensure the +following line appears: +CSRF_COOKIE_SECURE True + Is it the case that CSRF_COOKIE_SECURE is set to False? + + Run the following command to see what the maximum authentication attempts is: @@ -159,24 +177,6 @@ Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout -duration is: - -$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -lockout_duration= - Is it the case that lockout_duration is not configured properly? - - - - Check the file /etc/openstack-dashboard/local_settings and ensure the -following line appears: -CSRF_COOKIE_SECURE True - Is it the case that CSRF_COOKIE_SECURE is set to False? - - Check the file /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings and ensure the following line appears: @@ -193,17 +193,6 @@ Is it the case that /etc/cinder/*.conf has unix mode -rw-r-----? - - Run the following command to see what the maximum authentication -attempts is: - -$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf - -If properly configured, the output should be: -disable_user_account_days_inactive = - Is it the case that disable_user_account_days_inactive is commented out or not configured properly? - - Run the following command to see what the account lockout duration is: @@ -226,5 +215,16 @@ Is it the case that lockout_failure_attempts is commented out or not configured properly? + + Run the following command to see what the maximum authentication +attempts is: + /usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhosp13-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Red Hat OpenStack Platform 13 This guide presents a catalog of security-relevant configuration settings for Red Hat OpenStack Platform 13. It is a rendering of /usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -26791,1108 +26791,1108 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package + + Enable the OpenSSH Service - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Remove telnet Clients - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Uninstall talk Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Add nosuid Option to /home - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Disable the selinuxuser_use_ssh_chroot SELinux Boolean - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 - - Verify Permissions on cron.weekly + + Install the tmux Package - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Install the OpenSSH Server Package - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - A remote time server for Chrony is configured + + Remove the X Windows Package Group - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Enable cron Service + + Ensure yum Removes Previous Package Versions - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Disable the cron_system_cronjob_use_shares SELinux Boolean - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 - - Add nosuid Option to /home + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure Libreswan to use System Crypto Policy - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 - - Remove telnet Clients + + Ensure auditd Collects Information on the Use of Privileged Commands - su /usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -26791,1108 +26791,1108 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package + + Enable the OpenSSH Service - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Remove telnet Clients - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Uninstall talk Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Add nosuid Option to /home - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Disable the selinuxuser_use_ssh_chroot SELinux Boolean - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 - - Verify Permissions on cron.weekly + + Install the tmux Package - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Install the OpenSSH Server Package - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - A remote time server for Chrony is configured + + Remove the X Windows Package Group - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Enable cron Service + + Ensure yum Removes Previous Package Versions - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Disable the cron_system_cronjob_use_shares SELinux Boolean - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 - - Add nosuid Option to /home + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure Libreswan to use System Crypto Policy - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 - - Remove telnet Clients + + Ensure auditd Collects Information on the Use of Privileged Commands - su /usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,1108 +7,1108 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package + + Enable the OpenSSH Service - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Configure SSH to use System Crypto Policy + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Set Password Hashing Algorithm in /etc/login.defs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Resolve information before writing to audit logs + + Remove telnet Clients - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Disable debug-shell SystemD Service + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Uninstall talk Package + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Add nosuid Option to /home - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Set hostname as computer node name in audit logs + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Enable the logadm_exec_content SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_logadm_exec_content_action:testaction:1 - - Record Attempts to Alter the localtime File + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Disable the selinuxuser_use_ssh_chroot SELinux Boolean - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sebool_selinuxuser_use_ssh_chroot_action:testaction:1 - - Verify Permissions on cron.weekly + + Install the tmux Package - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-package_tmux_installed_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify File Hashes with RPM - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-rpm_verify_hashes_action:testaction:1 - - Ensure cron Is Logging To Rsyslog + + Install the OpenSSH Server Package - ocil:ssg-rsyslog_cron_logging_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - A remote time server for Chrony is configured + + Remove the X Windows Package Group - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Enable cron Service + + Ensure yum Removes Previous Package Versions - ocil:ssg-service_crond_enabled_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Disable the cron_system_cronjob_use_shares SELinux Boolean - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sebool_cron_system_cronjob_use_shares_action:testaction:1 - - Add nosuid Option to /home + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-mount_option_home_nosuid_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure Libreswan to use System Crypto Policy - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 - - Remove telnet Clients + + Ensure auditd Collects Information on the Use of Privileged Commands - su /usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Red Hat Virtualization 4 This guide presents a catalog of security-relevant configuration settings for Red Hat Virtualization 4. It is a rendering of @@ -43,9 +43,9 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + @@ -53,29 +53,29 @@ - + - + - + - + - + - + - + - + - + - + @@ -88,44 +88,44 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -133,9 +133,9 @@ - + - + @@ -143,9 +143,9 @@ - + - + /usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -49397,88 +49397,70 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean - - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs - - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - - - Resolve information before writing to audit logs + + Enable the OpenSSH Service - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Disable debug-shell SystemD Service + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Disable snmpd Service + + Install cryptsetup-luks Package - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 @@ -49487,322 +49469,322 @@ ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Record Attempts to Alter the localtime File + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Add nosuid Option to /home - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify Permissions on cron.weekly + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -49400,88 +49400,70 @@ 2022-02-22T00:00:00 - - Install openscap-scanner Package - - ocil:ssg-package_openscap-scanner_installed_action:testaction:1 - - - - Disable the httpd_dontaudit_search_dirs SELinux Boolean - - ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1 - - - - Set Password Hashing Algorithm in /etc/login.defs - - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 - - - - Resolve information before writing to audit logs + + Enable the OpenSSH Service - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Disable debug-shell SystemD Service + + Boot Loader Is Not Installed On Removeable Media - ocil:ssg-service_debug-shell_disabled_action:testaction:1 + ocil:ssg-grub2_no_removeable_media_action:testaction:1 - - Disable Secure RPC Server Service (rpcsvcgssd) + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Install rear Package + + Disable the dhcpc_exec_iptables SELinux Boolean - ocil:ssg-package_rear_installed_action:testaction:1 + ocil:ssg-sebool_dhcpc_exec_iptables_action:testaction:1 - - Ensure /var Located On Separate Partition + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 - - Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + Disable the httpd_read_user_content SELinux Boolean - ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + ocil:ssg-sebool_httpd_read_user_content_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure No Daemons are Unconfined by SELinux - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Enable the kerberos_enabled SELinux Boolean + + Disable the staff_use_svirt SELinux Boolean - ocil:ssg-sebool_kerberos_enabled_action:testaction:1 + ocil:ssg-sebool_staff_use_svirt_action:testaction:1 - - Disable snmpd Service + + Install cryptsetup-luks Package - ocil:ssg-service_snmpd_disabled_action:testaction:1 + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 @@ -49490,322 +49472,322 @@ ocil:ssg-sebool_nagios_run_sudo_action:testaction:1 - - Record Unsuccessul Ownership Changes to Files - chown + + Disable the rsync_anon_write SELinux Boolean - ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + ocil:ssg-sebool_rsync_anon_write_action:testaction:1 - - Record Attempts to Alter the localtime File + + Limit CPU consumption of the Perf system - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 - - Ensure All Groups on the System Have Unique Group ID + + Add nosuid Option to /home - ocil:ssg-group_unique_id_action:testaction:1 + ocil:ssg-mount_option_home_nosuid_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Disable the secure_mode_insmod SELinux Boolean + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces - ocil:ssg-sebool_secure_mode_insmod_action:testaction:1 + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 - - Verify Permissions on cron.weekly + + Disable the unprivuser_use_svirt SELinux Boolean - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-sebool_unprivuser_use_svirt_action:testaction:1 - - Enable the GNOME3 Login Smartcard Authentication + + Record Successful Creation Attempts to Files - openat O_CREAT - ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 - - Verify that Interactive Boot is Disabled + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 /usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,5 +1,5 @@ - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 7 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of @@ -56,59 +56,54 @@ - - - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -116,29 +111,29 @@ - + - + - + - + - + - + - + - + - + - + @@ -146,14 +141,19 @@ + + + + + - + - + @@ -161,9 +161,9 @@ - + - + RPMS.2017/scap-security-guide-ubuntu-0.1.60-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.60-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-ubuntu-0.1.60-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.60-0.0.noarch.rpm comparing the rpm tags of scap-security-guide-ubuntu --- old-rpm-tags +++ new-rpm-tags @@ -167,26 +167,26 @@ ___QF_CHECKSUM___ /usr/share/doc/scap-security-guide 0 /usr/share/doc/scap-security-guide/guides 0 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 921aa93eaa45ac904289a1224ac62dbe170e21952d5ccebf11769c8aeaa025bf 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 008f427c128cb23219ecd351104381b3268b3104ea949fcb99c02fb47be97b6f 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html ae0f4a465607b3ce626518def6f09eddf083a0dfddadcf55d7ebcc7ef59e4242 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 3e30e79f215b4c9704845ad9eb94ee884a816c56419f4d73fe3dbc90574a303f 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html c688f0b5c00f82bf229aefa2e12fe06b8912dd8ecc722aae90ef430b929cadd7 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 5f92502faf91bb126e031747ae1287a0e94a1d568af373b681a85bb4a60bcb01 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html d77df8228aefec8d009894bbb790978caa51318c8db252e03c25a29e5d8e52d4 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html d6bc27a3e20b69efbab609b931d63868d5b37a25b20eea670a5635e4ebd51e3e 2 /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-index.html 8feadd06f2ff62e540d038be69883df5f1c307f382bd2ef22a04040dd54b5212 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 3ffdf07717b773dc046ef877d69dd4a2f13a6ab4bd013b16575e802320844f06 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 3fa12873b0ddf8b0e17bf1eeea5bf3b8a18c4c85d228e5085368798d26274b75 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html e07558e111ee9696f514d15a9babcb6ede1492ad6bba3b839cd9c88482f1e431 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html c2146741a28de6043ad78bc9afde0bf8e0c1f0a1c0bcca0ab6ecc01e92436a92 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2682f0c4e95b30fcb99ba03cf8faaf2d4db998fc3c9883aaeacb3433ec2a0014 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 2da0f4bbd7f3d3b9b52e102caf1585301382c55e4188ee0bca1bf9de45ab2fac 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html e3fede24a893cf2bc3d1b575c9784e284dfd5f008781492f5499536f78ffcd0b 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html d32b85e8e08d6168bbe9cd3024ba898ee456ba4ea3a58bc72138480384e0d717 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html aa0d9aac5ad1a4f0fe32689922083bf81c96bab7cd60ef7153994fdb773f8a10 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html ca9f332c17f3d9333fd8aa15d814a6e669c7c498e48b4b2904faff4aa4234073 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 4a84e4e2a2460618ba58f6ba92c56c5eb7914e2234e97488e368736c3dbc1f2b 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html a6d45b05841394f3e1935d9e3bcb002750f0318422a62aba03fd6753a1e36eed 2 /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-index.html 8a96bcdaaf93a334d9cfdeeb4e6b7e8f002d0e010a034757a3729c0b5a2c5f02 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 10ff24aaa737ea4e105570585145b895ee8d09379f969fb695a5dbdc6ccba4ae 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html ede61990bc6027e662f3ff392c3c3fa8cb38aa216edb5aa22258acd8172ece22 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 7c8ec10918d012e69a08e7d4c1f012fa57d7b1002f826dfad6156da966041c47 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html ea066413e18354501a50ddb48f784b72b2344f610ba0f0ce540f3fa30935d4f6 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html c5ada4e5497a4a3b54712c3edfdb924643e9165f657386e590ef856595e7940b 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html f6e10946d720f72d9383e0b9854d2dfb0f5e1e6dd0f380d382b5e985f221feb4 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html a9ca069a7cb6cf676dc2d492151d70a132d49d71bf0226d4fbf5ddd473093f87 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html c5510b92320f8f6a8945bedb5d4510961d337e9f5e7672070e6f690a785aa50e 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 71e8ef3c2422a3c06a88a215169af436efea8d7778dab1cc7ebedd2f3599b2af 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 8ea3a319fcda1af9b322bb9fd3135d72633ee32ce0743ac7c92071290bf57fc7 2 /usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-index.html ee88ebb127c3e014def3a9d5220f39fd4f0ffeda8c4269af69dfce0c5147aa58 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 8683234fa497c5d2cb1379a230c5ff3e1e61174faa5352f4cb20318f972d386c 2 -/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html d9a078c4395a3ec777eb41bd5fef4abac29537c3cedb639047673c03dea48e6e 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 37c58295a8f5c788b700fb566786b1ff34c6468e09416ffa175ef80050f35b22 2 +/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 5e325cba0632c6289deae45995cb090c30f998805bc37dadab90902ca3b2049e 2 /usr/share/doc/scap-security-guide/tables 0 /usr/share/licenses/scap-security-guide-ubuntu 0 /usr/share/licenses/scap-security-guide-ubuntu/LICENSE ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298 128 @@ -233,25 +233,25 @@ /usr/share/xml/scap/ssg/content 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml 2471d6ff7a0c2de16b8760b16b5c721e691c7a3c0604f25d4d189d74873682c4 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-oval.xml e5e9192175cdb446668f507ea04989eedf607c5a0d4016da6b897996080278ce 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 468865bbdbcfa6aca95653fc397425de356bf8322cec0b1c4627b6f03cf92f1b 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 3008a4251f7b67cdfc2f15f118f0bc2579cb6248d51d93066e05942faa78c659 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 0e6e701bc00cc4fa78e3abe2b2a010390ca339625087475c6aedbf690539c91a 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml db5a1a8d99833f999a2450822101ac7e0f992a659bc5b7ae95693835a3294b09 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 95b97dde55b8bfe55b3e20188a2d63edc194e8c33543a1b86e564b8c1fdb6761 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml f9f09d591da1846adcfb033fe954fc05c6f3acbb1b80ecaae66e3524c880f227 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml cfb03a425b4e513415a4085000c6a98349c4b78db9ca5d3cf32626e32575d4b8 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 5be73d5a5ad50f56fa58c96d950f4c28aa62aebf4d0acd9559790005025d9dac 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml ac09e3e1c59e2085ae2aa8cc7a98132b0012a76d19b46cd49c14caac96bb8936 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-cpe-dictionary.xml 86672355f727e3abf517b1937b1e91f6719e0cc993ef2c25939b282424a304b4 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-cpe-oval.xml 35bc02f238dcac9ed6ec8fae912655f1d492e01e7639dd8d3a4a88655ba945a0 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml d23c4315a750cc8ef52cf241fb761ef8dbb90c8f896d9c68ae0b5af51e5ae4fb 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml cf5bc223b15334928c47bc6407533af000ee94b2f73be51c4ee472c1a08dd00c 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 078bce1e7be90a464a318725b5408d57622ee9de0a7244303a5da85d7e74715d 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml df929acdfe115b45d69104b6052d838cabb30239bcf99b1a622a95c9b45962a1 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 7137b965a747302f4e112c9d0989d35dbd1facddf79fc7c3af978e67f28124a5 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 709297485143ebb70c9e47f23eb881d7377b670614f76441e9f560b28688ffe9 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-oval.xml 34ceac54c1853a7ab3eb9a7b5d86fbb47d467d7ceb90ae69d67d8ac18ebc4d77 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 44e6d7607338a70964840fee942768dfdf8a3b27b1114acb3bbbf5b2bd9de8cd 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml c8b69a51442d37090fc9a00b6b6d086e1acc7db0cfee1cfea74ce1f1ca2d8e02 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-cpe-dictionary.xml 01f8c5a1a04774c11ecea74f61afba2b0881238f658a9419e635dfc3150653e5 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-cpe-oval.xml 0bfe16ffc0765b1926d3034dc008ec665908d5da0e873d0451ded33ec2658195 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 436203cbb7f58ae3c6a8b36294c11aa0b35ab7ec00791a510a22cac0e67171de 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml f20d87150f48897bf76e9a0d0ef9aeb3c26d3eecb90e2a6c0dd1ba3485864bf5 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 0eae347254c129ffa03d734a3fcea7bd8162d091c5dbcd4a9edfe9b8130b2ebc 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 23fab276fc470aeb7a316366932a70fef59d66c5f15479bcf354d3f0b8ca93f0 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 15101beaf94ab0102470d262c5368d2abdbf4bfdbe6313051fa577676cb8c6d3 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 0fed41cde526943d4e609900c2e8fb8e7ce992907aea3ce3f11cf46964a38a11 0 /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-oval.xml 27f040a6bc4276f1e41d6ec7180bccc622c9eccff7b1dcead7589078d8ab5745 0 -/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 5defbd72c4da63c71d85489cb8df6b0e18527a96453db8fc674ebc548e0b1ec2 0 +/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml aaf193fb78011ef8e3b6780e2d22ce722aa8bc2c0643528d1c756a2615b01fa8 0 ___QF_CHECKSUM___ comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_average

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 16.04   Group contains 19 groups and 40 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 High (Enforced) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 16.04   Group contains 22 groups and 46 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Minimal Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services

Checklist

Group   Guide to the Secure Configuration of Ubuntu 16.04   Group contains 9 groups and 19 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Restrictive Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 16.04   Group contains 21 groups and 45 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Ubuntu 16.04
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 16.04   Group contains 19 groups and 45 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Average (Intermediate) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_average

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Configure Syslog
    3. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 18.04   Group contains 19 groups and 40 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 High (Enforced) Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 18.04   Group contains 22 groups and 46 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Minimal Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Deprecated services

Checklist

Group   Guide to the Secure Configuration of Ubuntu 18.04   Group contains 9 groups and 19 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleProfile for ANSSI DAT-NT28 Restrictive Level
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 18.04   Group contains 21 groups and 45 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 2022-02-22 00:00:00.000000000 +0000 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Ubuntu 18.04 LTS Benchmark
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Network Configuration and Firewalls
    4. File Permissions and Masks
  2. Services
    1. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 18.04   Group contains 21 groups and 71 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Ubuntu 18.04
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. System Accounting with auditd
    3. Configure Syslog
    4. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. Deprecated services
    3. Network Time Protocol
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 18.04   Group contains 19 groups and 45 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Ubuntu 20.04 Level 1 Server Benchmark
Profile IDxccdf_org.ssgproject.content_profile_cis_level1_server

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. Deprecated services
    4. DHCP
    5. DNS Server
    6. FTP Server
    7. Web Server
    8. IMAP and POP3 Server
    9. LDAP
    10. Network Time Protocol
    11. Obsolete Services
    12. Print Support
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of Ubuntu 20.04   Group contains 81 groups and 189 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Ubuntu 20.04 Level 1 Workstation Benchmark
Profile IDxccdf_org.ssgproject.content_profile_cis_level1_workstation

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. GRUB2 bootloader configuration
    4. Configure Syslog
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. Deprecated services
    4. DHCP
    5. DNS Server
    6. FTP Server
    7. Web Server
    8. IMAP and POP3 Server
    9. LDAP
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 20.04   Group contains 78 groups and 188 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Ubuntu 20.04 Level 2 Server Benchmark
Profile IDxccdf_org.ssgproject.content_profile_cis_level2_server

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. Deprecated services
    4. DHCP
    5. DNS Server
    6. FTP Server
    7. Web Server
    8. IMAP and POP3 Server
    9. LDAP
    10. Network Time Protocol
    11. Obsolete Services
    12. Print Support
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server
    17. X Window System

Checklist

Group   Guide to the Secure Configuration of Ubuntu 20.04   Group contains 92 groups and 273 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 2022-02-22 00:00:00.000000000 +0000 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCIS Ubuntu 20.04 Level 2 Workstation Benchmark
Profile IDxccdf_org.ssgproject.content_profile_cis_level2_workstation

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. Deprecated services
    4. DHCP
    5. DNS Server
    6. FTP Server
    7. Web Server
    8. IMAP and POP3 Server
    9. LDAP
    10. Network Time Protocol
    11. Obsolete Services
    12. Print Support
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 20.04   Group contains 92 groups and 275 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 2022-02-22 00:00:00.000000000 +0000 @@ -65,7 +65,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for Ubuntu 20.04
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. Configure Syslog
    5. File Permissions and Masks
  2. Services
    1. Apport Service
    2. Cron and At Daemons
    3. Deprecated services
    4. Network Time Protocol
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of Ubuntu 20.04   Group contains 22 groups and 45 rules
Group   /usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 2022-02-22 00:00:00.000000000 +0000 @@ -68,7 +68,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleCanonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R1
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~

Revision History

Current version: 0.1.60

  • draft - (as of 2022-02-28) + (as of 2037-04-02)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. APT service configuration
    2. Base Services
    3. Deprecated services
    4. Network Time Protocol
    5. Obsolete Services
    6. SSH Server
    7. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of Ubuntu 20.04   Group contains 73 groups and 172 rules
Group   /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -12676,154 +12676,154 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Ensure nss-tools is installed - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Disable SSH TCP Forwarding + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Ensure SELinux State is Enforcing + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify User Who Owns Backup gshadow File - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Set Password Maximum Age + + Force frequent session key renegotiation - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for .rhosts Files - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Prevent Login to Accounts With Empty Password - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Verify User Who Owns shadow File + + Ensure rsyslog is Installed - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Remove the OpenSSH Server Package + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure gnutls-utils is installed + + System Audit Logs Must Be Owned By Root - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 - - Don't target root user in the sudoers file + + Disable Kerberos by removing host keytab /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -12678,154 +12678,154 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Ensure nss-tools is installed - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Disable SSH TCP Forwarding + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Ensure SELinux State is Enforcing + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify User Who Owns Backup gshadow File - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Set Password Maximum Age + + Force frequent session key renegotiation - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for .rhosts Files - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Prevent Login to Accounts With Empty Password - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Verify User Who Owns shadow File + + Ensure rsyslog is Installed - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Remove the OpenSSH Server Package + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure gnutls-utils is installed + + System Audit Logs Must Be Owned By Root - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 - - Don't target root user in the sudoers file + + Disable Kerberos by removing host keytab /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,154 +7,154 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Ensure nss-tools is installed - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Disable SSH TCP Forwarding + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Ensure SELinux State is Enforcing + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify User Who Owns Backup gshadow File - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Set Password Maximum Age + + Force frequent session key renegotiation - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Disable SSH Support for .rhosts Files - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Prevent Login to Accounts With Empty Password - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Verify User Who Owns shadow File + + Ensure rsyslog is Installed - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Remove the OpenSSH Server Package + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Ensure gnutls-utils is installed + + System Audit Logs Must Be Owned By Root - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 - - Don't target root user in the sudoers file + + Disable Kerberos by removing host keytab /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Ubuntu 16.04 This guide presents a catalog of security-relevant configuration settings for Ubuntu 16.04. It is a rendering of @@ -53,9 +53,9 @@ - + - + @@ -68,6 +68,11 @@ + + + + + @@ -78,19 +83,9 @@ - - - - - - - - - - - + - + @@ -103,19 +98,24 @@ + + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -13583,166 +13583,166 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Add nosuid Option to /tmp - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Disable Mounting of cramfs - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure nss-tools is installed - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Verify User Who Owns Backup gshadow File - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Force frequent session key renegotiation - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Verify User Who Owns shadow File + + Disable SSH Support for .rhosts Files - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Remove the OpenSSH Server Package + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Ensure gnutls-utils is installed + + Ensure rsyslog is Installed - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Don't target root user in the sudoers file + + System Audit Logs Must Be Owned By Root /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -13583,166 +13583,166 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Add nosuid Option to /tmp - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Disable Mounting of cramfs - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure nss-tools is installed - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Verify User Who Owns Backup gshadow File - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Force frequent session key renegotiation - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Verify User Who Owns shadow File + + Disable SSH Support for .rhosts Files - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Remove the OpenSSH Server Package + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Ensure gnutls-utils is installed + + Ensure rsyslog is Installed - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Don't target root user in the sudoers file + + System Audit Logs Must Be Owned By Root /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml differs (XML 1.0 document, ASCII text) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,166 +7,166 @@ 2022-02-22T00:00:00 - - Resolve information before writing to audit logs + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Ensure /var Located On Separate Partition + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - Set hostname as computer node name in audit logs + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Attempts to Alter the localtime File + + Install the OpenSSH Server Package - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - A remote time server for Chrony is configured + + Add nosuid Option to /tmp - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Disable Mounting of cramfs - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Ensure nss-tools is installed - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-package_nss-tools_installed_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-sudo_add_requiretty_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Verify that All World-Writable Directories Have Sticky Bits Set - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 - - Disable SSH TCP Forwarding + + Ensure auditd Collects File Deletion Events by User - rename - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 - - Ensure SELinux State is Enforcing + + Configure auditd Disk Error Action on Disk Error - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 - - Verify Group Who Owns Backup group File + + Verify that Shared Library Directories Have Restrictive Permissions - ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 - - Set Password Maximum Age + + Disable SSH Support for Rhosts RSA Authentication - ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 - - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Verify User Who Owns Backup gshadow File - ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Force frequent session key renegotiation - ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + ocil:ssg-sshd_rekey_limit_action:testaction:1 - - Verify User Who Owns shadow File + + Disable SSH Support for .rhosts Files - ocil:ssg-file_owner_etc_shadow_action:testaction:1 + ocil:ssg-sshd_disable_rhosts_action:testaction:1 - - Remove the OpenSSH Server Package + + Prevent Login to Accounts With Empty Password - ocil:ssg-package_openssh-server_removed_action:testaction:1 + ocil:ssg-no_empty_passwords_action:testaction:1 - - Ensure gnutls-utils is installed + + Ensure rsyslog is Installed - ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + ocil:ssg-package_rsyslog_installed_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Ensure Log Files Are Owned By Appropriate Group - ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 - - Don't target root user in the sudoers file + + System Audit Logs Must Be Owned By Root /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Ubuntu 18.04 This guide presents a catalog of security-relevant configuration settings for Ubuntu 18.04. It is a rendering of @@ -53,9 +53,9 @@ - + - + @@ -68,6 +68,11 @@ + + + + + @@ -78,19 +83,9 @@ - - - - - - - - - - - + - + @@ -103,19 +98,24 @@ + + + + + - + - + - + - + /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-02-22 00:00:00.000000000 +0000 @@ -23214,1402 +23214,1402 @@ 2022-02-22T00:00:00 - - Set Password Hashing Algorithm in /etc/login.defs + + Enable the OpenSSH Service - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Ensure /var Located On Separate Partition + + Check that vlock is installed to allow session locking - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Record Attempts to Alter the localtime File + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify permissions of log files - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-permissions_local_var_log_action:testaction:1 - - Verify Permissions on cron.weekly + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure GNOME3 DConf User Profile - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Verify permissions of log files + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-permissions_local_var_log_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Remove telnet Clients + + Install the OpenSSH Server Package - ocil:ssg-package_telnet_removed_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Remove the X Windows Package Group - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure apt_get Removes Previous Package Versions - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Disable SSH TCP Forwarding + + Install McAfee Endpoint Security for Linux (ENSL) - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-package_mcafeetp_installed_action:testaction:1 - - Ensure SELinux State is Enforcing + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + System Audit Logs Must Be Owned By Root - ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1 - - Ensure sudo group has only necessary members + + Disable Mounting of cramfs - ocil:ssg-ensure_sudo_group_restricted_action:testaction:1 + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 - - Verify Permissions on cron.hourly + + Ensure nss-tools is installed /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-02-22 00:00:00.000000000 +0000 @@ -23214,1402 +23214,1402 @@ 2022-02-22T00:00:00 - - Set Password Hashing Algorithm in /etc/login.defs + + Enable the OpenSSH Service - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Ensure /var Located On Separate Partition + + Check that vlock is installed to allow session locking - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Record Attempts to Alter the localtime File + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify permissions of log files - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-permissions_local_var_log_action:testaction:1 - - Verify Permissions on cron.weekly + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure GNOME3 DConf User Profile - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Verify permissions of log files + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-permissions_local_var_log_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Remove telnet Clients + + Install the OpenSSH Server Package - ocil:ssg-package_telnet_removed_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Remove the X Windows Package Group - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure apt_get Removes Previous Package Versions - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Disable SSH TCP Forwarding + + Install McAfee Endpoint Security for Linux (ENSL) - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-package_mcafeetp_installed_action:testaction:1 - - Ensure SELinux State is Enforcing + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + System Audit Logs Must Be Owned By Root - ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1 - - Ensure sudo group has only necessary members + + Disable Mounting of cramfs - ocil:ssg-ensure_sudo_group_restricted_action:testaction:1 + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 - - Verify Permissions on cron.hourly + + Ensure nss-tools is installed /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-02-22 00:00:00.000000000 +0000 @@ -7,1402 +7,1402 @@ 2022-02-22T00:00:00 - - Set Password Hashing Algorithm in /etc/login.defs + + Enable the OpenSSH Service - ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + ocil:ssg-service_sshd_enabled_action:testaction:1 - - Resolve information before writing to audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - chage - ocil:ssg-auditd_log_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 - - Uninstall talk Package + + Remove telnet Clients - ocil:ssg-package_talk_removed_action:testaction:1 + ocil:ssg-package_telnet_removed_action:testaction:1 - - Ensure /var Located On Separate Partition + + Check that vlock is installed to allow session locking - ocil:ssg-partition_for_var_action:testaction:1 + ocil:ssg-vlock_installed_action:testaction:1 - - Set Default iptables Policy for Forwarded Packets + + Ensure Users Re-Authenticate for Privilege Escalation - sudo - ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + ocil:ssg-sudo_require_authentication_action:testaction:1 - - Set hostname as computer node name in audit logs + + Ensure auditd Collects Information on the Use of Privileged Commands - insmod - ocil:ssg-auditd_name_format_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_insmod_action:testaction:1 - - Record Attempts to Alter the localtime File + + Verify that System Executables Have Restrictive Permissions - ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 - - Verify that Shared Library Directories Have Root Ownership + + Verify permissions of log files - ocil:ssg-dir_ownership_library_dirs_action:testaction:1 + ocil:ssg-permissions_local_var_log_action:testaction:1 - - Verify Permissions on cron.weekly + + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full - ocil:ssg-file_permissions_cron_weekly_action:testaction:1 + ocil:ssg-auditd_overflow_action_action:testaction:1 - - A remote time server for Chrony is configured + + Record Attempts to Alter Time Through clock_settime - ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 - - Record Events that Modify the System's Discretionary Access Controls - setxattr + + Ensure that System Accounts Do Not Run a Shell Upon Login - ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 - - Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Configure GNOME3 DConf User Profile - ocil:ssg-grub2_audit_argument_action:testaction:1 + ocil:ssg-enable_dconf_user_profile_action:testaction:1 - - Verify permissions of log files + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ocil:ssg-permissions_local_var_log_action:testaction:1 + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 - - Remove telnet Clients + + Install the OpenSSH Server Package - ocil:ssg-package_telnet_removed_action:testaction:1 + ocil:ssg-package_openssh-server_installed_action:testaction:1 - - Ensure All-Squashing Disabled On All Exports + + Remove the X Windows Package Group - ocil:ssg-no_all_squash_exports_action:testaction:1 + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 - - Ensure auditd Collects Information on Exporting to Media (successful) + + Ensure apt_get Removes Previous Package Versions - ocil:ssg-audit_rules_media_export_action:testaction:1 + ocil:ssg-clean_components_post_updating_action:testaction:1 - - Verify Group Who Owns Backup gshadow File + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr - ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 - - Disable SSH TCP Forwarding + + Install McAfee Endpoint Security for Linux (ENSL) - ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + ocil:ssg-package_mcafeetp_installed_action:testaction:1 - - Ensure SELinux State is Enforcing + + Ensure auditd Collects Information on the Use of Privileged Commands - su - ocil:ssg-selinux_state_action:testaction:1 + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 - - Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + System Audit Logs Must Be Owned By Root - ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 + ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1 - - Ensure sudo group has only necessary members + + Disable Mounting of cramfs - ocil:ssg-ensure_sudo_group_restricted_action:testaction:1 + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 - - Verify Permissions on cron.hourly + + Ensure nss-tools is installed /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml differs (XML 1.0 document, UTF-8 Unicode text, with very long lines) --- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 +++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-02-22 00:00:00.000000000 +0000 @@ -1,6 +1,6 @@ - draft + draft Guide to the Secure Configuration of Ubuntu 20.04 This guide presents a catalog of security-relevant configuration settings for Ubuntu 20.04. It is a rendering of @@ -43,9 +43,9 @@ countries. All other names are registered trademarks or trademarks of their respective companies. - + - + @@ -53,19 +53,19 @@ - + - + - + - + - + - + @@ -73,29 +73,29 @@ - + - + - + - + - + - + - + - + - + - + @@ -103,14 +103,14 @@ - + - + - + - + @@ -118,14 +118,14 @@ - + - + - + - + overalldiffered=4 (not bit-by-bit identical) overall=1