/etc/passwd, run the command: $ sudo chgrp root /etc/passwd
/etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security.References: - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
-
-
-chgrp 0 /etc/passwd
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/passwd
+ 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
register: file_exists
@@ -149,15 +145,15 @@
- low_disruption
- medium_severity
- no_reboot_needed
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
+
+
+chgrp 0 /etc/passwd
Rule Verify User Who Owns passwd File [ref] | |||||||||||||
To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd | |||||||||||||
| Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | ||||||||||||
| Identifiers and References | References: - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify Permissions on passwd File [ref] | |||||||||||||
@@ -197,12 +197,7 @@
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd | ||||||||||||
| Identifiers and References | References: - BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo zypper install aide
Identifiers: CCE-83067-9
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -144,13 +132,25 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -176,18 +176,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -277,22 +277,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -517,15 +517,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | |||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | ||||
| Identifiers and References | Identifiers: CCE-83182-6 References: - 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Remediation Ansible snippet ⇲
| |||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125, 5.1.1
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -594,13 +582,25 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
+
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,19 +115,7 @@
$ sudo zypper install aide
Identifiers: CCE-83067-9
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -144,13 +132,25 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -176,18 +176,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -277,22 +277,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -469,15 +469,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | |||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | ||||
| Identifiers and References | Identifiers: CCE-83182-6 References: - 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Remediation Ansible snippet ⇲
| |||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125, 5.1.1
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -546,13 +534,25 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
+
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,19 +115,7 @@
$ sudo zypper install aide
Identifiers: CCE-83067-9
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -144,13 +132,25 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -176,18 +176,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -277,22 +277,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -469,15 +469,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | |||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | ||||
| Identifiers and References | Identifiers: CCE-83182-6 References: - 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Remediation Ansible snippet ⇲
| |||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125, 5.1.1
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -546,13 +534,25 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
+
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,19 +115,7 @@
$ sudo zypper install aide
Identifiers: CCE-83067-9
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -144,13 +132,25 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -176,18 +176,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -277,22 +277,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -517,15 +517,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | |||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | ||||
| Identifiers and References | Identifiers: CCE-83182-6 References: - 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Remediation Ansible snippet ⇲
| |||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125, 5.1.1
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -594,13 +582,25 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
+
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -113,11 +113,7 @@
Verify Group Who Owns passwd File
[ref]/etc/passwd, run the command: $ sudo chgrp root /etc/passwd
/etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security.References: - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 6.1.2
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
-
-
-chgrp 0 /etc/passwd
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/passwd
+ 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 6.1.2| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
register: file_exists
@@ -149,15 +145,15 @@
- low_disruption
- medium_severity
- no_reboot_needed
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
+
+
+chgrp 0 /etc/passwd
Rule Verify User Who Owns passwd File [ref] | |||||||||||||
To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd | |||||||||||||
| Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | ||||||||||||
| Identifiers and References | References: - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 6.1.2 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify Permissions on passwd File [ref] | |||||||||||||
@@ -197,12 +197,7 @@
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd | ||||||||||||
| Identifiers and References | References: - BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 6.1.2 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo zypper install aide
Identifiers: CCE-83067-9
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -140,13 +128,25 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -169,73 +169,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||
| Identifiers and References | Identifiers: CCE-83204-8 References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r603262_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Configure Notification of Post-AIDE Scan Details - [ref] | |||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
-If AIDE has already been configured for periodic execution in /etc/crontab, append the
-following line to the existing AIDE line:
-| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost-Otherwise, add the following line to /etc/crontab:
-05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost-AIDE can be executed periodically through other means; this is merely one example. | |||||||||||||
| Rationale: | Unauthorized changes to the baseline configuration could make the system vulnerable
-to various attacks or allow unauthorized access to the operating system. Changes to
-operating system configurations can have unintended side effects, some of which may
-be relevant to security.
- -Detecting such changes and providing an automated response can help avoid unintended, -negative consequences that could ultimately affect the security state of the operating -system. The operating system's Information Management Officer (IMO)/Information System -Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or -monitoring system trap when there is an unauthorized modification of a configuration item. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||
| Identifiers and References | Identifiers: - CCE-83048-9 References: - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r603262_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | Identifiers: CCE-83291-5 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | Identifiers: - CCE-85663-3 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | Identifiers: + CCE-85663-3 References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.Identifiers: CCE-91163-6
References: - BP28(R8), SRG-OS-000191-GPOS-00080
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-zypper install -y "dnf-automatic"
-
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
+ BP28(R8), SRG-OS-000191-GPOS-00080| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -262,13 +256,19 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
class install_dnf-automatic {
package { 'dnf-automatic':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+zypper install -y "dnf-automatic"
Rule Configure dnf-automatic to Install Available Updates Automatically [ref] | |||||||||
To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | |||||||||
| Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,25 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | ||||||||
| Identifiers and References | Identifiers: CCE-91165-1 References: - BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | ||||||||
Remediation Ansible snippet ⇲
| |||||||||
Rule + Configure dnf-automatic to Install Only Security Updates + [ref] | |||||
To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf. | |||||
| Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | ||||
| Severity: | low | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | ||||
| Identifiers and References | Identifiers: + CCE-91166-9 References: + BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | ||||
Remediation Ansible snippet ⇲
| |||||
Rule
- Configure dnf-automatic to Install Only Security Updates
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,19 +115,7 @@
| |||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-83289-9 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | ||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -177,18 +177,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-85787-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -283,22 +283,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-85671-6 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -523,15 +523,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | |||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | ||||
| Identifiers and References | Identifiers: CCE-83288-1 References: - 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Remediation Ansible snippet ⇲
| |||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125, 1.3.1
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -600,13 +588,25 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
+
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,19 +115,7 @@
$ sudo zypper install aide
Identifiers: CCE-83289-9
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -144,13 +132,25 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -177,18 +177,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-85787-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -283,22 +283,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-85671-6 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -475,15 +475,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | |||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | ||||
| Identifiers and References | Identifiers: CCE-83288-1 References: - 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Remediation Ansible snippet ⇲
| |||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125, 1.3.1
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -552,13 +540,25 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
+
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,19 +115,7 @@
$ sudo zypper install aide
Identifiers: CCE-83289-9
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -144,13 +132,25 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -177,18 +177,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-85787-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -283,22 +283,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-85671-6 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -475,15 +475,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | |||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | ||||
| Identifiers and References | Identifiers: CCE-83288-1 References: - 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Remediation Ansible snippet ⇲
| |||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125, 1.3.1
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -552,13 +540,25 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
+
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,19 +115,7 @@
$ sudo zypper install aide
Identifiers: CCE-83289-9
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -144,13 +132,25 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -177,18 +177,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-85787-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -283,22 +283,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-85671-6 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -523,15 +523,7 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | |||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | ||||
| Identifiers and References | Identifiers: CCE-83288-1 References: - 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Remediation Ansible snippet ⇲
| |||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125, 1.3.1
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -600,13 +588,25 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
+
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 2022-06-27 00:00:00.000000000 +0000
@@ -429,25 +429,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data.Identifiers: CCE-85776-3
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -492,6 +474,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -502,11 +502,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-85795-3 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
dconf update.Identifiers: CCE-85777-1
References: - 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
- if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${SETTINGSFILES[@]}"
- else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-if [[ -z "${LOCKFILES}" ]]
-then
- echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
+ 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -714,23 +669,7 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-Rule - Require Encryption for Remote Access in GNOME3 - [ref] | |||||
By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
-require-encryption to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
-[org/gnome/Vino] -require-encryption=true --Once the settings have been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/Vino/require-encryption-After the settings have been set, run dconf update. | |||||
| Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
-remotely. | ||||
| Severity: | medium | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | ||||
| Identifiers and References | Identifiers: - CCE-85822-5 References: - 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | ||||
Remediation Shell script ⇲
| |||||
Rule
+ Require Encryption for Remote Access in GNOME3
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
@@ -392,19 +392,7 @@
| |||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-83289-9 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | ||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -454,18 +454,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-85787-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -560,22 +560,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-85671-6 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-85791-2
References: - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014
-function remediate_libreswan_crypto_policy() {
- CONFIG_FILE="/etc/ipsec.conf"
- if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then
- echo 'include /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE"
- fi
- return 0
-}
-
-remediate_libreswan_crypto_policy
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Configure Libreswan to use System Crypto Policy
+ CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Configure Libreswan to use System Crypto Policy
lineinfile:
path: /etc/ipsec.conf
line: include /etc/crypto-policies/back-ends/libreswan.config
@@ -729,6 +719,16 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+function remediate_libreswan_crypto_policy() {
+ CONFIG_FILE="/etc/ipsec.conf"
+ if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then
+ echo 'include /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE"
+ fi
+ return 0
+}
+
+remediate_libreswan_crypto_policy
Rule Configure OpenSSL library to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -740,34 +740,7 @@
if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | medium | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-85794-6 References: - CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | ||||||||||||||||
Remediation Shell script ⇲ | |||||||||||||||||
| Severity: | medium | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-83261-8 References: - BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, SLES-15-010010, SV-234802r622137_rule | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
silent option, user enumeration attacks
are also mitigated.Identifiers: CCE-85842-3
References: - BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050
# Remediation is applicable only in certain platforms
-if rpm --quiet -q pam; then
-
-var_accounts_passwords_pam_faillock_deny='3'
-
-
-if [ -f /usr/bin/authselect ]; then
- if authselect check; then
- authselect enable-feature with-faillock
- authselect apply-changes
-else
- echo "
-authselect integrity check failed. Remediation aborted!
-This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
-It is not recommended to manually edit the PAM files when authselect tool is available.
-In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
- false
-fi
-else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
-for pam_file in "${AUTH_FILES[@]}"
-do
- if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file"
- sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth required pam_faillock.so authfail' "$pam_file"
- sed -i --follow-symlinks '/^account.*required.*pam_unix.so.*/i account required pam_faillock.so' "$pam_file"
- fi
- sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock.so)/\1required \3/g' "$pam_file"
-done
-fi
-FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ -f $FAILLOCK_CONF ]; then
- regex="^\s*deny\s*="
- line="deny = $var_accounts_passwords_pam_faillock_deny"
- if ! grep -q $regex $FAILLOCK_CONF; then
- echo $line >> $FAILLOCK_CONF
- else
- sed -i --follow-symlinks 's/^\s*\(deny\s*=\s*\)\([0-9]\+\)/\1'"$var_accounts_passwords_pam_faillock_deny"'/g' $FAILLOCK_CONF
- fi
-else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
- for pam_file in "${AUTH_FILES[@]}"
- do
- if ! grep -qE '^\s*auth.*pam_faillock.so (preauth|authfail).*deny' "$pam_file"; then
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
- sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
- else
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
- sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
- fi
- done
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Gather the package facts
+ BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -669,28 +613,12 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
-Rule - Configure the root Account for Failed Password Attempts - [ref] | |||||||
This rule configures the system to lock out the root account after a number of
-incorrect login attempts using pam_faillock.so.
-
-pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
-recommended to use the appropriate tools, such as authselect or authconfig,
-depending on the OS version.Warning:
- If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file. | |||||||
| Rationale: | By limiting the number of failed logon attempts, the risk of unauthorized system access via
-user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
-the account. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root | ||||||
| Identifiers and References | Identifiers: - CCE-91171-9 References: - BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | ||||||
Remediation Shell script ⇲
| |||||||
Rule + Configure the root Account for Failed Password Attempts + [ref] | |||||||
This rule configures the system to lock out the root account after a number of
+incorrect login attempts using pam_faillock.so.
+
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version.Warning:
+ If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file. | |||||||
| Rationale: | By limiting the number of failed logon attempts, the risk of unauthorized system access via
+user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
+the account. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root | ||||||
| Identifiers and References | Identifiers: + CCE-91171-9 References: + BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | ||||||
Remediation Ansible snippet ⇲
| |||||||
Rule - Set Interval For Counting Failed Password Attempts - [ref] | |||||||||||||||||||||||||
Utilizing pam_faillock.so, the fail_interval directive configures the system
-to lock out an account after a number of incorrect login attempts within a specified time
-period.Warning:
- If the system relies on authselect tool to manage PAM settings, the remediation
-will also use authselect tool. However, if any manual modification was made in
-PAM files, the authselect integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-If the system supports the /etc/security/faillock.conf file, the pam_faillock
-parameters should be defined in faillock.conf file. | |||||||||||||||||||||||||
| Rationale: | By limiting the number of failed logon attempts the risk of unauthorized system
-access via user password guessing, otherwise known as brute-forcing, is reduced.
-Limits are imposed by locking the account. | ||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: - CCE-91169-3 References: - BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050 | ||||||||||||||||||||||||
Remediation Shell script ⇲ | |||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-83289-9 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | ||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -169,73 +169,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||
| Identifiers and References | Identifiers: CCE-85610-4 References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -336,22 +336,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -156,24 +156,24 @@
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -467,6 +446,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
References: - BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1
-[[packages]]
-name = "syslog-ng"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
+ BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
package:
name: syslog-ng
state: present
@@ -500,13 +496,17 @@
- medium_severity
- no_reboot_needed
- package_syslogng_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
class install_syslog-ng {
package { 'syslog-ng':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "syslog-ng"
+version = "*"
Rule Enable syslog-ng Service [ref] | |||||||||||||
The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -514,10 +514,7 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | |||||||||||||
| Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | ||||||||||||
| Identifiers and References | References: - BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -399,10 +399,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -690,6 +669,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 2022-06-27 00:00:00.000000000 +0000
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
@@ -144,33 +129,33 @@
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
-Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ apt-get install syslog-ng-core
References: - BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1
-[[packages]]
-name = "syslog-ng"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
+ BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
package:
name: syslog-ng
state: present
@@ -254,13 +250,17 @@
- medium_severity
- no_reboot_needed
- package_syslogng_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
class install_syslog-ng {
package { 'syslog-ng':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "syslog-ng"
+version = "*"
Rule Enable syslog-ng Service [ref] | |||||||||||||||||||
The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -268,10 +268,7 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | |||||||||||||||||||
| Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | ||||||||||||||||||
| Identifiers and References | References: - BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Ensure rsyslog is Installed [ref] | |||||||||||||||||||
Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | |||||||||||||||||||
| Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable rsyslog Service [ref] | |||||||||||||
The rsyslog service provides syslog-style logging by default on Debian 10.
@@ -339,10 +339,7 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | |||||||||||||
| Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | ||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Ensure the audit Subsystem is Installed [ref] | |||||||||||||||||||
The audit package should be installed. | |||||||||||||||||||
| Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R50), CCI-000172, CCI-001814, CCI-001875, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -399,10 +399,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -669,6 +648,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -230,11 +230,7 @@
Rule Ensure the audit Subsystem is Installed [ref] | |||||||||||||||||||
The audit package should be installed. | |||||||||||||||||||
| Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R50), CCI-000172, CCI-001814, CCI-001875, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -275,10 +275,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -545,15 +524,32 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure rsyslog is Installed [ref] | |||||||||||||||||||
Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | |||||||||||||||||||
| Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable rsyslog Service [ref] | |||||||||||||||||||
The rsyslog service provides syslog-style logging by default on Debian 10.
@@ -580,10 +580,7 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | |||||||||||||||||||
| Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
/etc/group, run the command: $ sudo chgrp root /etc/group
/etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.References: - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
-
-
-chgrp 0 /etc/group
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/group
+ 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
@@ -692,15 +688,15 @@
- low_disruption
- medium_severity
- no_reboot_needed
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 2022-06-27 00:00:00.000000000 +0000
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
@@ -213,33 +198,33 @@
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
-Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -467,6 +446,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
References: - BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1
-[[packages]]
-name = "syslog-ng"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
+ BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
package:
name: syslog-ng
state: present
@@ -500,13 +496,17 @@
- medium_severity
- no_reboot_needed
- package_syslogng_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
class install_syslog-ng {
package { 'syslog-ng':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "syslog-ng"
+version = "*"
Rule Enable syslog-ng Service [ref] | |||||||||||||
The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -514,10 +514,7 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | |||||||||||||
| Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | ||||||||||||
| Identifiers and References | References: - BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Ensure the audit Subsystem is Installed [ref] | |||||||||||||||||||
The audit package should be installed. | |||||||||||||||||||
| Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R50), CCI-000172, CCI-001814, CCI-001875, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -399,10 +399,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -690,6 +669,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 2022-06-27 00:00:00.000000000 +0000
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
@@ -144,33 +129,33 @@
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
-Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ apt-get install syslog-ng-core
References: - BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1
-[[packages]]
-name = "syslog-ng"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
+ BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
package:
name: syslog-ng
state: present
@@ -254,13 +250,17 @@
- medium_severity
- no_reboot_needed
- package_syslogng_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
class install_syslog-ng {
package { 'syslog-ng':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "syslog-ng"
+version = "*"
Rule Enable syslog-ng Service [ref] | |||||||||||||||||||
The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -268,10 +268,7 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | |||||||||||||||||||
| Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | ||||||||||||||||||
| Identifiers and References | References: - BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Ensure rsyslog is Installed [ref] | |||||||||||||||||||
Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | |||||||||||||||||||
| Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable rsyslog Service [ref] | |||||||||||||
The rsyslog service provides syslog-style logging by default on Debian 11.
@@ -339,10 +339,7 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | |||||||||||||
| Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | ||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Ensure the audit Subsystem is Installed [ref] | |||||||||||||||||||
The audit package should be installed. | |||||||||||||||||||
| Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R50), CCI-000172, CCI-001814, CCI-001875, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -399,10 +399,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -669,6 +648,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -230,11 +230,7 @@
Rule Ensure the audit Subsystem is Installed [ref] | |||||||||||||||||||
The audit package should be installed. | |||||||||||||||||||
| Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R50), CCI-000172, CCI-001814, CCI-001875, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -275,10 +275,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -545,15 +524,32 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure rsyslog is Installed [ref] | |||||||||||||||||||
Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | |||||||||||||||||||
| Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable rsyslog Service [ref] | |||||||||||||||||||
The rsyslog service provides syslog-style logging by default on Debian 11.
@@ -580,10 +580,7 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | |||||||||||||||||||
| Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
/etc/group, run the command: $ sudo chgrp root /etc/group
/etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.References: - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
-
-
-chgrp 0 /etc/group
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/group
+ 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
@@ -692,15 +688,15 @@
- low_disruption
- medium_severity
- no_reboot_needed
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 2022-06-27 00:00:00.000000000 +0000
@@ -165,22 +165,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
@@ -213,33 +198,33 @@
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
-Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -467,6 +446,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
References: - BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1
-[[packages]]
-name = "syslog-ng"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
+ BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
package:
name: syslog-ng
state: present
@@ -500,13 +496,17 @@
- medium_severity
- no_reboot_needed
- package_syslogng_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
class install_syslog-ng {
package { 'syslog-ng':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "syslog-ng"
+version = "*"
Rule Enable syslog-ng Service [ref] | |||||||||||||
The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -514,10 +514,7 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | |||||||||||||
| Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | ||||||||||||
| Identifiers and References | References: - BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Ensure the audit Subsystem is Installed [ref] | |||||||||||||||||||
The audit package should be installed. | |||||||||||||||||||
| Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R50), CCI-000172, CCI-001814, CCI-001875, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -399,10 +399,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -690,6 +669,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 2022-06-27 00:00:00.000000000 +0000
@@ -96,22 +96,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
@@ -144,33 +129,33 @@
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
-Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ apt-get install syslog-ng-core
References: - BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1
-[[packages]]
-name = "syslog-ng"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
+ BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure syslog-ng is installed
package:
name: syslog-ng
state: present
@@ -254,13 +250,17 @@
- medium_severity
- no_reboot_needed
- package_syslogng_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_syslog-ng
class install_syslog-ng {
package { 'syslog-ng':
ensure => 'installed',
}
}
+
+[[packages]]
+name = "syslog-ng"
+version = "*"
Rule Enable syslog-ng Service [ref] | |||||||||||||||||||
The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
@@ -268,10 +268,7 @@
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service | |||||||||||||||||||
| Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | ||||||||||||||||||
| Identifiers and References | References: - BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Ensure rsyslog is Installed [ref] | |||||||||||||||||||
Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | |||||||||||||||||||
| Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable rsyslog Service [ref] | |||||||||||||
The rsyslog service provides syslog-style logging by default on Debian 9.
@@ -339,10 +339,7 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | |||||||||||||
| Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | ||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Ensure the audit Subsystem is Installed [ref] | |||||||||||||||||||
The audit package should be installed. | |||||||||||||||||||
| Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R50), CCI-000172, CCI-001814, CCI-001875, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -399,10 +399,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -669,6 +648,27 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -230,11 +230,7 @@
Rule Ensure the audit Subsystem is Installed [ref] | |||||||||||||||||||
The audit package should be installed. | |||||||||||||||||||
| Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R50), CCI-000172, CCI-001814, CCI-001875, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable auditd Service [ref] | |||||||||||||||||||
The auditd service is an essential userspace component of
@@ -275,10 +275,7 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | |||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001876, CCI-002884, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-LOGROTATE_CONF_FILE="/etc/logrotate.conf"
-CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
-
-# daily rotation is configured
-grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
-
-# remove any line configuring weekly, monthly or yearly rotation
-sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
-
-# configure cron.daily if not already
-if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
- echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
- echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
+ BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Configure daily log rotation in /etc/logrotate.conf
lineinfile:
create: true
dest: /etc/logrotate.conf
@@ -545,15 +524,32 @@
- low_disruption
- medium_severity
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure rsyslog is Installed [ref] | |||||||||||||||||||
Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | |||||||||||||||||||
| Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Enable rsyslog Service [ref] | |||||||||||||||||||
The rsyslog service provides syslog-style logging by default on Debian 9.
@@ -580,10 +580,7 @@
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service | |||||||||||||||||||
| Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
/etc/group, run the command: $ sudo chgrp root /etc/group
/etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.References: - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
-
-
-chgrp 0 /etc/group
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/group
+ 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | configure |
- name: Test for existence /etc/group
stat:
path: /etc/group
register: file_exists
@@ -692,15 +688,15 @@
- low_disruption
- medium_severity
- no_reboot_needed
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -148,24 +148,24 @@
+
-
-
+
-
-
+
-
-
+
-
@@ -173,14 +173,14 @@
-
+
-
-
+
-
@@ -188,29 +188,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -218,14 +218,14 @@
-
+
-
-
+
-
@@ -2026,11 +2026,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -2055,6 +2050,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3110,6 +3110,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3131,20 +3145,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3162,6 +3162,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -148,24 +148,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -173,14 +173,14 @@
-
+
-
-
+
-
@@ -188,29 +188,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -218,14 +218,14 @@
-
+
-
-
+
-
@@ -2026,11 +2026,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -2055,6 +2050,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3110,6 +3110,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3131,20 +3145,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3162,6 +3162,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-06-27 00:00:00.000000000 +0000
@@ -7,184 +7,172 @@
2022-06-27T00:00:00
-
- Verify Group Who Owns Backup passwd File
-
- ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1
-
-
-
- Record Events that Modify the System's Discretionary Access Controls - lchown
-
- ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1
-
-
-
- Disable XDMCP in GDM
+
+ Restrict Virtual Console Root Logins
- ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1
+ ocil:ssg-securetty_root_login_console_only_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Ensure All Accounts on the System Have Unique Names
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-account_unique_name_action:testaction:1
-
- Enable Encrypted X11 Forwarding
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Disable SSH Support for Rhosts RSA Authentication
+
+ Ensure /var/log/audit Located On Separate Partition
- ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1
+ ocil:ssg-partition_for_var_log_audit_action:testaction:1
-
- Enable cron Service
+
+ Disable SSH Support for .rhosts Files
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_action:testaction:1
-
- Disable kernel support for MISC binaries
+
+ Verify Group Who Owns /var/log/messages File
- ocil:ssg-kernel_config_binfmt_misc_action:testaction:1
+ ocil:ssg-file_groupowner_var_log_messages_action:testaction:1
-
- Disable GSSAPI Authentication
+
+ Enable the NTP Daemon
- ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1
+ ocil:ssg-service_ntpd_enabled_action:testaction:1
-
- Ensure There Are No Accounts With Blank or Null Passwords
+
+ Enable different security models
- ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
-
- Configure L1 Terminal Fault mitigations
+
+ Ensure rsyslog is Installed
- ocil:ssg-grub2_l1tf_argument_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Configure auditd Number of Logs Retained
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading
- ocil:ssg-auditd_data_retention_num_logs_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
-
- All GIDs referenced in /etc/passwd must be defined in /etc/group
+
+ Direct root Logins Not Allowed
- ocil:ssg-gid_passwd_group_same_action:testaction:1
+ ocil:ssg-no_direct_root_logins_action:testaction:1
-
- Verify that System Executables Have Restrictive Permissions
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-file_permissions_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Enable Yama support
+
+ Ensure auditd Collects File Deletion Events by User - rmdir
- ocil:ssg-kernel_config_security_yama_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Ensure auditd Collects Information on the Use of Privileged Commands
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Verify Permissions on SSH Server Public *.pub Key Files
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1
-
- Enable poison without sanity check
+
+ Specify a Remote NTP Server
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-ntpd_specify_remote_server_action:testaction:1
-
- Ensure All Accounts on the System Have Unique Names
+
+ Disable Compression Or Set Compression to delayed
- ocil:ssg-account_unique_name_action:testaction:1
+ ocil:ssg-sshd_disable_compression_action:testaction:1
-
- Configure auditd to use audispd's syslog plugin
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Enable SLUB debugging support
+
+ Enable automatic signing of all modules
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_all_action:testaction:1
-
- Verify User Who Owns /var/log/syslog File
+
+ Verify User Who Owns Backup shadow File
- ocil:ssg-file_owner_var_log_syslog_action:testaction:1
+ ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
@@ -48,24 +48,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -73,14 +73,14 @@
-
+
-
-
+
-
@@ -88,29 +88,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -118,14 +118,14 @@
-
+
-
-
+
-
@@ -1926,11 +1926,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -1955,6 +1950,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3010,6 +3010,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3031,20 +3045,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3062,6 +3062,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -148,24 +148,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -173,14 +173,14 @@
-
+
-
-
+
-
@@ -188,29 +188,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -218,14 +218,14 @@
-
+
-
-
+
-
@@ -2026,11 +2026,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -2055,6 +2050,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3110,6 +3110,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3131,20 +3145,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3162,6 +3162,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -148,24 +148,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -173,14 +173,14 @@
-
+
-
-
+
-
@@ -188,29 +188,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -218,14 +218,14 @@
-
+
-
-
+
-
@@ -2026,11 +2026,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -2055,6 +2050,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3110,6 +3110,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3131,20 +3145,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3162,6 +3162,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-06-27 00:00:00.000000000 +0000
@@ -7,184 +7,172 @@
2022-06-27T00:00:00
-
- Verify Group Who Owns Backup passwd File
-
- ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1
-
-
-
- Record Events that Modify the System's Discretionary Access Controls - lchown
-
- ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1
-
-
-
- Disable XDMCP in GDM
+
+ Restrict Virtual Console Root Logins
- ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1
+ ocil:ssg-securetty_root_login_console_only_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Ensure All Accounts on the System Have Unique Names
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-account_unique_name_action:testaction:1
-
- Enable Encrypted X11 Forwarding
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Disable SSH Support for Rhosts RSA Authentication
+
+ Ensure /var/log/audit Located On Separate Partition
- ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1
+ ocil:ssg-partition_for_var_log_audit_action:testaction:1
-
- Enable cron Service
+
+ Disable SSH Support for .rhosts Files
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_action:testaction:1
-
- Disable kernel support for MISC binaries
+
+ Verify Group Who Owns /var/log/messages File
- ocil:ssg-kernel_config_binfmt_misc_action:testaction:1
+ ocil:ssg-file_groupowner_var_log_messages_action:testaction:1
-
- Disable GSSAPI Authentication
+
+ Enable the NTP Daemon
- ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1
+ ocil:ssg-service_ntpd_enabled_action:testaction:1
-
- Ensure There Are No Accounts With Blank or Null Passwords
+
+ Enable different security models
- ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
-
- Configure L1 Terminal Fault mitigations
+
+ Ensure rsyslog is Installed
- ocil:ssg-grub2_l1tf_argument_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Configure auditd Number of Logs Retained
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading
- ocil:ssg-auditd_data_retention_num_logs_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
-
- All GIDs referenced in /etc/passwd must be defined in /etc/group
+
+ Direct root Logins Not Allowed
- ocil:ssg-gid_passwd_group_same_action:testaction:1
+ ocil:ssg-no_direct_root_logins_action:testaction:1
-
- Verify that System Executables Have Restrictive Permissions
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-file_permissions_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Enable Yama support
+
+ Ensure auditd Collects File Deletion Events by User - rmdir
- ocil:ssg-kernel_config_security_yama_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Ensure auditd Collects Information on the Use of Privileged Commands
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Verify Permissions on SSH Server Public *.pub Key Files
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1
-
- Enable poison without sanity check
+
+ Specify a Remote NTP Server
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-ntpd_specify_remote_server_action:testaction:1
-
- Ensure All Accounts on the System Have Unique Names
+
+ Disable Compression Or Set Compression to delayed
- ocil:ssg-account_unique_name_action:testaction:1
+ ocil:ssg-sshd_disable_compression_action:testaction:1
-
- Configure auditd to use audispd's syslog plugin
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Enable SLUB debugging support
+
+ Enable automatic signing of all modules
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_all_action:testaction:1
-
- Verify User Who Owns /var/log/syslog File
+
+ Verify User Who Owns Backup shadow File
- ocil:ssg-file_owner_var_log_syslog_action:testaction:1
+ ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
@@ -48,24 +48,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -73,14 +73,14 @@
-
+
-
-
+
-
@@ -88,29 +88,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -118,14 +118,14 @@
-
+
-
-
+
-
@@ -1926,11 +1926,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -1955,6 +1950,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3010,6 +3010,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3031,20 +3045,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3062,6 +3062,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -148,24 +148,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -173,14 +173,14 @@
-
+
-
-
+
-
@@ -188,29 +188,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -218,14 +218,14 @@
-
+
-
-
+
-
@@ -2026,11 +2026,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -2055,6 +2050,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3110,6 +3110,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3131,20 +3145,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3162,6 +3162,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -148,24 +148,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -173,14 +173,14 @@
-
+
-
-
+
-
@@ -188,29 +188,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -218,14 +218,14 @@
-
+
-
-
+
-
@@ -2026,11 +2026,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -2055,6 +2050,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3110,6 +3110,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3131,20 +3145,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3162,6 +3162,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-06-27 00:00:00.000000000 +0000
@@ -7,184 +7,172 @@
2022-06-27T00:00:00
-
- Verify Group Who Owns Backup passwd File
-
- ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1
-
-
-
- Record Events that Modify the System's Discretionary Access Controls - lchown
-
- ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1
-
-
-
- Disable XDMCP in GDM
+
+ Restrict Virtual Console Root Logins
- ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1
+ ocil:ssg-securetty_root_login_console_only_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Ensure All Accounts on the System Have Unique Names
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-account_unique_name_action:testaction:1
-
- Enable Encrypted X11 Forwarding
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Disable SSH Support for Rhosts RSA Authentication
+
+ Ensure /var/log/audit Located On Separate Partition
- ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1
+ ocil:ssg-partition_for_var_log_audit_action:testaction:1
-
- Enable cron Service
+
+ Disable SSH Support for .rhosts Files
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_action:testaction:1
-
- Disable kernel support for MISC binaries
+
+ Verify Group Who Owns /var/log/messages File
- ocil:ssg-kernel_config_binfmt_misc_action:testaction:1
+ ocil:ssg-file_groupowner_var_log_messages_action:testaction:1
-
- Disable GSSAPI Authentication
+
+ Enable the NTP Daemon
- ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1
+ ocil:ssg-service_ntpd_enabled_action:testaction:1
-
- Ensure There Are No Accounts With Blank or Null Passwords
+
+ Enable different security models
- ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
-
- Configure L1 Terminal Fault mitigations
+
+ Ensure rsyslog is Installed
- ocil:ssg-grub2_l1tf_argument_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Configure auditd Number of Logs Retained
+
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading
- ocil:ssg-auditd_data_retention_num_logs_action:testaction:1
+ ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1
-
- All GIDs referenced in /etc/passwd must be defined in /etc/group
+
+ Direct root Logins Not Allowed
- ocil:ssg-gid_passwd_group_same_action:testaction:1
+ ocil:ssg-no_direct_root_logins_action:testaction:1
-
- Verify that System Executables Have Restrictive Permissions
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-file_permissions_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Enable Yama support
+
+ Ensure auditd Collects File Deletion Events by User - rmdir
- ocil:ssg-kernel_config_security_yama_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Ensure auditd Collects Information on the Use of Privileged Commands
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+
+ Verify Permissions on SSH Server Public *.pub Key Files
- ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1
+ ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1
-
- Enable poison without sanity check
+
+ Specify a Remote NTP Server
- ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
+ ocil:ssg-ntpd_specify_remote_server_action:testaction:1
-
- Ensure All Accounts on the System Have Unique Names
+
+ Disable Compression Or Set Compression to delayed
- ocil:ssg-account_unique_name_action:testaction:1
+ ocil:ssg-sshd_disable_compression_action:testaction:1
-
- Configure auditd to use audispd's syslog plugin
+
+ Ensure SSH LoginGraceTime is configured
- ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
+ ocil:ssg-sshd_set_login_grace_time_action:testaction:1
-
- Enable SLUB debugging support
+
+ Enable automatic signing of all modules
- ocil:ssg-kernel_config_slub_debug_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_all_action:testaction:1
-
- Verify User Who Owns /var/log/syslog File
+
+ Verify User Who Owns Backup shadow File
- ocil:ssg-file_owner_var_log_syslog_action:testaction:1
+ ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
@@ -48,24 +48,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -73,14 +73,14 @@
-
+
-
-
+
-
@@ -88,29 +88,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -118,14 +118,14 @@
-
+
-
-
+
-
@@ -1926,11 +1926,6 @@
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -1955,6 +1950,11 @@
}
}
+
+[[packages]]
+name = "aide"
+version = "*"
+
@@ -3010,6 +3010,20 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3031,20 +3045,6 @@
false
fi
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
@@ -3062,6 +3062,20 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
RPMS.2017/scap-security-guide-redhat-0.1.62-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.62-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-redhat-0.1.62-0.0.noarch.rpm to scap-security-guide-redhat-0.1.62-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-redhat
--- old-rpm-tags
+++ new-rpm-tags
@@ -649,2 +649,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 52e77e3dd4b09086ba58eb88dd1a861441483d083ead01a39e1d0126eb28e187 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 30f6a47eccd8c814b5b122dbce30e6b54869568af7f5a652cd0d4a2f064966fa 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html ca548f292fb47b3aee55d7ae8f462227e4ebdc47b4500678a29c4307f6d2bab5 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 290246e91be2606bcbe5f95a088ace399242adf245c389f3650dac86360eb120 2
@@ -652,13 +652,13 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html ceb149ad323af740880c154dfb2f968106dd50864ccaf8c8aed0574e3671755f 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 8bba96b6010d871ca30f28b181756faf1f3f8e16bcadeb975ad90f37fe8aaa9a 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html a6acfbf689f51ca7acc30bc9e3aa53e9a80de288fd4f036a9c969b0ef43f3fce 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 0b48ba06056254e15d69b3704375e00e153d65c522ffc821ba3487a861bb1aca 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 84efe5ea82c4094333f9ef65ecd0219a44f8d6a5f21ca2c65615016234424c95 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html cec57efffb27e88d360a4c65e34ae98239047b64812936e7db568dfcd248b284 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html dc26353ada9b8ae96f705fc6d4f1423e19b4621a73271c8534e1316338717eaf 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html d0dc28ef931c58c18a2a25a6376aff5db8e48baa2360fc15e4a1b836bfa945be 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 3f2ce068f7d2194c3eb973399d1cffe1ab637a1535aba729ddf93aa007e94631 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html b5fff2639db6d62592958b077d2d51eb4854e38a13f83e947b25bf5dfeca3482 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 6a5ded1c4327daf12550dcdcb336e85d722241f4bcf2127a39664dee3a3303b8 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 83f442f64a7579bcde596207225bb44a1c8d5c00e5a685e964a2d86db30447d4 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 73c42e2ff8532544d7db83110194f558da1c327ffe3b72d1762a0c2e635b2dd8 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 72b3ca2aa9545ea6dc69930f149816b818365f258142f8e5cb5e880c82fdb75e 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html c3d3f82f63eb0e7a9d81bc034520509a8c00350fb3e154cd8037aa67143e1321 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 33b4b70925f988deac50186dd1161dffb2a6b125f3edcdf7499ad678e8b9115b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 3b61a2359bb61b72c2ac37fa421f108cce2d9a3526cc9380e37b4ccc068f8265 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 9d06c20d2c0df71422208921d91f7cb671760ec254343a16d312ec8e3e78efa2 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html a3c884df250c179babfb36273677deeeedecc6bdf3e5b2fb6e4885efae09b361 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html ed9480df3a7953755ea4203b52b22b4a8b2be4e51c213ba9e5c09bcbcbce533c 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 37e1cf4558a8951ec62b5ece3f06096d8d5b6f411b27414c3c378c27dd7afaa9 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html df0b62485653c92cd08a4f0a136b998caeb92acf8f7dbc720b9c2062542bb08b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 706f78494a9703fd2032ba9049b7115231a7d64f98c0b4390aef30b1d3183aa9 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 61a939ad939be9e0fcd38636ef0a9b45c1b7e6e4ea343792d8b9b1571e3d1275 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 24518da7005849eaa759a3c40da07a6832f4d95ea04d41845b1ac9cb2f317ecf 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html f0f1344a0c317a6033edf786df3b5e9fd3b9944f35fb0e965a012f649d3f2558 2
@@ -666,5 +666,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 377b4b289af022a7f59d05048bfdfb46c01c3a85f51572a905b29d4e691f4e95 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 11eb0249ad3feb780d562a1d05594d9bc53a844cf1e5c458d3af29072b9a176f 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html cc8a70ee4a0931fddc2ce1a168a820494add84f41e93c7e224e819dc4e1851ab 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html c4683b662b4014dd7cd23a9386f8a677e7ddcfff9a78848bb0fa3e9fbf9925a2 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 997a6a07dabeb46925a17670ddc239b0daef295c84ae4341bb6595a66617f13e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 224490a5cc229b2fc9936df63bfa1e8ceac9e7afa6a14a85a837fc40a5dd7a64 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 8d5b1337073cd6faefa6a1e70107865d63a81244ce3a1127cdc250c5a95c6fbf 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html a3f2fed27fdae209b0b279819a3b6c1fec716c2fa535fb0c2c37fa8991033dfc 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 83dcdf02ef563d07abb37399b3771e7780f2eed0f55def7817184cd6aeb79c94 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 307e1e79266f3a0aefa80dc4cd657fbbf6497acd60f80e25ac489462dfde887c 2
@@ -672,11 +672,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html e27fdad042700f756010c0e4a24ffedcf919e34456f3c5d19d3b0173b46e7abc 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html a2c41ca7783355c617519f1b736c2744cfbeec7e8a8f17c8bc22a28c48d5e593 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html cfb3a344a7b340b99b6e58085ea0af4daf0cc24f3dfeac0ef51d36998cc4806b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html ca3438e1292c7ea323ff28a258b4e567a956dd3462bcb7de7f71286d30d7cf67 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 2a3c9ca2d95000386e6f5d817e0b2718f911632cbc61414c45692a88b07aaa91 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 3738c6de25682a76305597a415d85d278f8f599a927eb45d5fc77a56687420c9 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html b435a595abbdcade929460800c30b853becda8c92273d276ad52e627086a9ace 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 60c890b8a066571746ed21ef90c9c78afe8f7a3fe4cf92555bacf62790d08e62 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html dcddabe8ebd31570c05abaa74aaa0cb5c3c8990e203e33e22095d8afb0db6dd0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 4029acd1c148d5227c9824141d468deae5a555fc89f16070a632f133491cd72f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html e6f203bfeedfd20600f2f9631361c958637ab33d21d3cbeda12427f8fac20976 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html f5257d36e368c0735102d24725ba68535d9f36c46c962dea7f382127a88466e6 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 7673f2b76ba77ee9afd58f5215bfff000cece8785205398871ba668e0951d909 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 835fbd502c9faab593479bc06db39a056e8e14adbe1b6f2ba5d04cd89a7da02b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 9de10b6bc57f91797847b607c35af87d36221abfbc0241b141e3d40807465450 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html e2d62be30b5d050a7a8b8d324d1c65df20e6f9bb8606983e8ce77040666e57f0 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 92b1783e4caae392dadc1caac2f5b681431e147ef1e451862fbb88c44b839cc3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 8c0fe1c5938968884052564134776e1068f6607d49a3b7534cef4a3eaff316e3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html dfe30b2f87170a1c60d59e258810a8195eed12c581c1074d3757ccf11f6524e2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html d6267f5f1e0d2242093be41f1bf765e5300105936dedd75b448d9ce78c56858a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 754eb32fdb3797987c8c51db8a7187f55ee39d81096a672e1a7d053200eef8de 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 593a3cc7755c8a86a3278aa8d7c01a50f3221817c38c1b39652011282853b981 2
@@ -684,14 +684,14 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 14fd88548f9fab33754bf3d9bfa400c57458417f9ca3186225727c9e577bfdc7 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 34de3bcf2585f6cad52f9137760ad20f5fae83a316d84fb5b382552a22d65852 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html aff92e5afa89fabc64d43f225860b9f153ce07184ee703e6a62082cb10307bd9 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 97ff5201795a11455d8bc3c1d39fc14761803e03d6285ce8008b75fab5e8762f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html b6ceeab7b374c96e3abd4e7a9229cbf92bb6dd2db117a3de7fd6d7b323f95ca2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html da3b1b07c3cb93eb09ed8dbe47b5536ba321265ee950fda9b0f26a059032c117 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html cecab30be6baff9e6498c0c627cc418551530e2a3af8980f776e83e569360ac6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html a1b2587858502744c3b08e62d1da0976e6370a56509d217798de6e61e8b9b5ab 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 219e67ae278568613806086ae770b3d5b558cb684ca088b6c6ad72a5bd2eea6c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 33ebbdf779e62e30f7ba5011b33eb10a744abc772d02022a717d1015179f06ea 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html d7273a654f1b62702f4e7c4a2b827536339583bfde2aaf8f29abff1d28a98916 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 4e8c40592366dfffdb735937976e6b347467aa26e7d61f8ebe3203eff40d18c6 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 321467b341e9fef285fda5d3e3f3b43bbab154c207793a7681ff0da97642e997 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 19fb7ebafc490f63321ac8df06d039672cff6e0c0d816c465aa5cf5f600c2af2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html fe292bca770cb47bf64569324f4de3fd0f55882aff97b18ec603af6942ee3ef1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 1fd9ff4740cb0f40a2e17a6ee32f377b0183ca70cb1e3728a2543a4eaf668433 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html b0a7ea37541cf8a1be9be8fe52bd50b4c63f9b80bba1fd77a2388e52bdd16047 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 88591b40867bd43b932ec767096011d1abb95c508c7c02e767d724d5d0283399 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html f9849c86e14e80ff4790453e011a3a7ea24ef946adfc0e4fafb4e857d73fe2d5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 1ec04cbce1a7728ba164d2f71eae8b080db6db429abac6bf240032881745af0a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html d6f4311738622f5dce003e6d941605145addb36e055b0f820d66b242e4ede246 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html b53bed5f3736bb351b42edf546d860146748a56f0324134b26340ac962a3f0f3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 9f9c3ea8fb387d549c6f720f3b904f79aed2b33309d8652464e440115bf06e26 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html d797041fa0d059efabf9f982c56552afe13623cdc111a6d9f28fc4ad0cedf86f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 7a3f7ac10eab2a5bee66e0eadab2e3795659636961a656d937c90b27afe18c9e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 3bb93703369b41bf1d54947fa0a59294797ac7a2f7e35f344adf78494c8a18c5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 33a2a6578c92f868f72a8d20424a491fa9cdd54449bbb7a2a8e218769d9e71d4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 5b86d85a917afd721441caff901ead93634328742efdd1bf463c833177cb00da 2
@@ -699,5 +699,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 80f9113749af9b36ff8a50a5ced4c62f857246878acdc365950d76d1a5fca13e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html b65dfb6c0b601ce33320e112e6a4849dd76f0f21c096b1bb930a1222a630d790 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 21fda46b644ce8188787b49804dd4c3e41778ca7fb168ecf0c1752ddc11168fb 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 62e7ce09dacbe44420aaa4c970133421961163b5f2ed6c740128cc714fdd92d1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html 58b0b8f4462e4f2d6898c08a966c0b3e30e824ed6f1a6d5422fa30b02a9a3091 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html cea7dc827c3f7ab68ea015da3c2ba6ef1a5668b7344cbff210c732953a7fd885 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 6c30199dae3b0f7f0bfb5e58f5a0c3c45467ff062df66440745180791c101804 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html f5fe0079c951c07949dc2a9b1ee9dca27c5025037b9a57c4460fd85c833db690 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 26fe67ecf9e073e4ab4ecbb372c2e735c0055e5bdfb1e613a47b729cf98de852 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html 73f0008a236212d05346855fbfcc72cf357cb5400fbabe344ef0f7b171487c06 2
@@ -705 +705 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 258826b4fc59da5e7a06433fd038d28412960345f86d2bb38702138ca25b8741 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html eeda0d82df8846b4730698d86c2b5d496609584842076adff4e77c7477a2890f 2
@@ -716,13 +716,13 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2317a59d6177ab0fe3261e87c4c3222bdf5481f502d85a90d3b160a1e24f0aab 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 2d5c36e756d51e23f701dae341bfe1c2053e74330a5f70245c57f3e7f7f3fced 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 6c85b03e42ba7b312600a0c85e1317a3b0dbab3ab08b40372d098ac79a450b04 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html a6626e48eb2ccd7c69f1ec4f2ba4eab693ef18d81f03765ad58f75a024b3acca 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 0b0185ffa6b4465e86a41ebea2e28a651fe996fdfd32543942913300155cce66 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html f585e36ea92fdc7e3b3b42b1362236d1844e32dcbaea30b94f1bb0f00d3c0d69 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 8fd153147814bee211ac207a6f1d72d2c45b87678ea0d31148074f890decb16c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html cc39cb7d9abf088d5639acc907556494572e0293f64bd8de56ae800cf7c4cba0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 4a0ee66b0dc6838fdbd96456f462c43e18f9df9323afa59c08ae073e8ab9b320 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html e13a6be5713edc728d05e15911b41ce0051e60ba28060ed83c23d04979f7bc76 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 7c1652df5fbe8395d401e7f272116081a3d03cdee2e8e2a1b696213866cce3a8 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html ead5364e374014dc493f7db880f0646b15b3f26024ffa62ca70861edd31540ef 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 951d132b01f44c054b890f1eb41d509f695a3f0acef200d2bdc589dd1ff161ea 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html d688dd4e3bc236ea6c3ac339ced6644806edf49f44ce3e04e2f10315c749fce4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 9b78d09431b6cceaf7c53d05e7ad9d0ad6dc8bfdd65527943c04410efa44f5b6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 2925b6b80d4e37c4e7b27b8f4a029b6565076d82a3b0c7d6adcdd3c5043a94ff 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 3160502ed0391d29aff8d3761688dc61acffdaa8e9ce9c7a00c75703bb71411a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html db3030158f625c6204e6e10424bf096b1d9b5d50a2a47218a5c6abbda10ff015 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 5382b0c3e025a0b7126af0a9f84f1b0b9dcb3708317dbacf0edf558d72898aed 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html f3f34a0c1e3283d7bc53851a43800cf442722d3505846d7f8489aa67d6912081 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 7b4a759749c53d54a492246c14442063ada632142a3345a01418aae467748a03 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 8abfce1281fcf8737327097071d9bc5a76115402a27794781be7fb8429faabc0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html d9fca5c3d2b5bfa42c1992553a7600457598a13c2824b6ccf1ce5322ea596988 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 9626ef7346a8cc15050b000471091723130ea7de4b4ccfd8691f233c5e95016d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 053951fb7d493e87b0cb14ee4000b916f4768cd8ed07d5549dcfcbcd4e62e739 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html b66d2bb165dd122117b2f8086d3e0d903479a421c6577ce42c43ba7ab3512d75 2
@@ -730,21 +730,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html a12f1da84eb85ed4002c4d6821cf886ff8936b6b9c1501b62365f2f28d12241a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 4ed894f1022d1bdaca87ab6c5eae4b906a902053fe8929fe9dff94bc50a701fa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html c632ab937219ca8ddeff1126829f2d593f06a98ab90e7aa79f67f3c3fc5c08dc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 6e4c619ab2ec8c1a06c77ee15e8da176f1336609b5e102b5028b4170d5b8263f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 9f416e98e6e8e4691bce08b24cbc9ebe2d93c9c6a0f6330e8a10350736003a00 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 084709dd4976791d931a763e5306de2459d4fdb665b3f4fecc16342c2cac6a33 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html e1fb08496b34b70f7d3b0e29bb4fb41f87527abd11751e397b86d24151c231dc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html db73d61bd23dddae8c268c59688b2de9918b2673b8d9dca253a153530c89aabd 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 50e3e2fa49422298e6692f07d775fc2edfeae3d5670514f65308950ae0e9cc6a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 614ea58d08c39bda282d813c44ed8a8b20fb65a01f53a31d0a7cc6a5fb3d1add 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html d2e9f5745615dc017fdf40a7998156aac39acc3da4cc1a3b8f8d86349f65879a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 6820c9293f837d14ded723095eff139776d4c680a1449daf8deaee7700397205 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html a188904f828c260e572311cd5c0834d2cd6931fce0eae0f7e5989f7e2d2537bc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 90068e12ccf55413cf554c761cc703f51faa9e8df90118d7ab59067ea3f498e3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html c32634ff445202084998230115efaee14e4e84a8ad94f15b5dae7e09f61e0abf 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 0de719773d40586beda34658fa27910a8c3cbd80b2c858c61caf9e99404ee8e9 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html cd265fe70961a2d8756be760c162a3e97478daa713cb078e0a3ff7a461c7098f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html bd8e0a870d777859f26bf8e2e83c08200e317e06f046eafb02b0aad696662fda 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 4f5237a2c01132fb2f4a2a9e46b309abc4159524c19430f318ee89ca907e5a1f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html b5a245be5c6bc820c94d0537fcb74aa96d51a503d76313b079b04282ac441908 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2670b338108beffe4bad2bed0dc6fc47029eec955d2ed4763e06bf805b4b949e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 3757f6787fdf8a8e0bed04722acc67459da3e590bf4d2b73c7b1a30facb1d4aa 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html ba21f3aaa016e3eed60e1b5c4ff451e896a1220c5364448ecc7e08b2fd189b4c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 468635c12f9608b0f11897bb60bfc941adc4ddd84bf6b4e7738d3819ed1bf02e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 696584acfec853ba6a1a6ff0c5593118a43c9051693d5d4a0a14c32c4b57027a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html a8bbda652aa5911e52886687b4a41c30e815df8a3b36b3b54ae1756068edcf09 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html dc21d8b3669b5f903a25e751c1975257fbfcdd2c59a4590c50d194a31c26cba1 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 6efe45a35b00df601ec18ea403b39d6a44faf2401e0bc1ccf412cb969486d4b9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html a0c664a7c61c88a711b1fc7b18d7256c57a44f7f5c1907b52df8293b19b3ffcc 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 0b528f0c7525a192928bc62c1f0d58f5d63b638ec9f188de2d96841d173da29b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 87bd06210a1513b6b8e3bc10e372346f34aaa82dbf315fc3bb4760a7f01235f8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 62b61b6f603841fe722ce6f3762706b8efdf0ebfd1df8eb260f09a5b47e893a5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 790198fc097f4cec40cef0815dd5a9ca12ed18697539e24a9cf02c18db5f3cd2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 89c6e9041654aa659b135a5bc04014344869131d9d552c18e70c7fb8192ac894 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html c9db310e9151c74f12b499ec395f1da813f80ae330b2baeee239da4abc39e041 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html bf196822ba09a97dd341ac02786f76031f07c061ca7512869bc5f8efd50a7b4c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 13341f6882a574909a4577d303aa5ddd14abfea7ed7a88e3095eeba04ca339ef 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 12728c65e56ad9793246ca9511d6e2a656dd3d897ddd6afccab0ef75fb18eaea 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html be5d0f423bb8ec91b8cf9c6ca5c7842b0c7d467ab233ffb2423fc24f2c897ffd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 59fd1bc83f3881d2a9ffc906d8a6870f62508eb12197d45667567d6d358148c8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 3148b3d9d121f58064e6ee0baf0fbb0c5071f7cc3843ff3b93f7057525336c80 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html dcb3bfb9fba0def13243f5dc160f00f653f928fe03b24e96bc8ad13dd5688aa6 2
@@ -752,18 +752,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 7a0e21ad54720a87f5d716e3a7eb033b8c136676ff1d37724f6266d9fe4b4ad5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 634ff1d27fdd512bf0dd2b8d02e1d5899fdadd9c6220e45b505637a3493b8230 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 535709131d512859e0a11cf1f5bc05d77e3e7a43d4bf22ff195825ccbd9bf22a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html e0033db4d2bcfc13b3239bc6b224603e7588a8bf2813d53206ce953b15884f8c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html f1603e25af3e113fe25f87abc384a516e6dd87a80b3fde93f94b9f7320b68bfe 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 3fcb5954ff8085db2f7546da64c0dc18f495636432733f1724e88e2b2bd9fdaa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html e7ad4d93c18ebf531889906ad9669e2baedd0909b2ef05afaf20d03561701388 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html c9084f12e217c7c6a615f8f61a1b97e0ff55f6260322c613b2713ff3eaab7557 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 9f7c43e2817d54e8d8537697f1659d02aa13e290fddd2bfdb4e5085fa8f6c6b3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html e69d66eaf932d36e8f6c65f0c59c2aab8a8f84c6ee88ed77a95221402d4910d7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html eb5113d4772a9f9a3f9594658c6718f336842cbf437c2241bc8cfac7c8b33007 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html a43b58e1b7fbfb20af15279ada6a454dbfe666f962a2900975af971a64a3edc5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 12a176de22bb279a563fee300cdd85a2743fe644fcf493389c0378f67e50641b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 1442a672664f087bf6a8ec57242952e3f11390b60b82a0e322c8fd25d4617523 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 8e39271f42fee4d84b1cabc1ebd60fbdc1cfb18c7cf7c58b45a751a8061cb622 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html e6ac10fa68d01f135a966ece27ab0a02a6c471a3e212d7ed6a48a45c1df1f204 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 8c703d35d86007c7455711114a6c02b9add947c7007543b2bf28446f07ad934b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html c8428b28ad3afdcc96d946483f8627f161c1097604d514f03e38e6c6fd92584d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 8f8f03451d0ed66c1804c32ea8abb1946e8239fc90e00433bde04fc25bda11a9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 5982a509739589ecefd745a7071f0623a4724d989c0cf5800d13595257dfe688 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 7763368665425aaaec7f94875787ac0ced1947dc642ec7856f2b9b755913e795 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 6bf49e38ca45352ff5d3146be3a88a9d7871944e03993f94744c7c3fca9a4ded 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 3c21dfd115d83848fa7a09a50f9b9ca1e5abb83b0a797d9bb9a0ae8b055900c8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 830ff69dbb9189836b66b1c72b670e289bb5b19a4d8d230f52ea76b1c9ef293f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html bd87853b606a395e5431759bf70c3dda72260a3393f186dd0f00f8e71c29672f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 91e7f4f8035c61c92b49169626d73fb3b26a8e9b12f176208e97ddd3484e4550 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 7306f554bac631aa096554761e6f344fb6a920e9dfa747c30e8695cfd50c062f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 3a09891017f4a09ab1b3da28aef37b2cd65d03dfeef0db4df1494b1a26845466 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html fdc2481fdd04673a3171bce42d6e60589c1d7e8871fa69cc7736818782106772 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html c27d748a86cc58551f7b16543779577b231da84c872c0899367ac6ea2b370eec 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 6aeb00d549938801bd51b78ad09a41aef1722681b1031127812533087dd0486e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html f76ce70b16b296bfd400c39a29e96ef69adc65fee1f5958e00f31c9834ee62e7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 3c7bbd0d578e0e3443165b2c70be654a4c270b5ffdcce863dba7abd58b56594d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html a92feea6a7fe40bf052b55e969f34139dbfd56fb35563d406137c46f08ad49dd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html dc5f55bb4eac582b1216acd60c5b29f8c726daadc0944057aa37014b37073cc9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html be4634b53993d4f2158b83eee9f919c318a29128804e6d6544f96276eef6c9d4 2
@@ -771,5 +771,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 9faac405824c5408d6150d38badb0f3fee82f8fd1276113148976c67ca9f66c4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 9ef86148da6c456d9bd73e27436c5d42ac58996be960c5174a2bb97fe293ab6c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 79d1870ae2609cd03c763c536f9eee494d611ead4c795cb6190733022fc7500c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 0517e75eff5f6069f82183bba0b5f4f229442374abe430757442418397c67fd5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html a570f723679939f1d783db14e9d5e930f58749cbfc8409b3bb7bd60e0d7d9866 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html fe05347c9977fadfca4605e5ee4f9ff20e47600e781ba4a3ed7d1bebfca83439 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html d1459daf93ac5ecddaa57224d6b81bb205e4c6221dead5e61131bfac12f33210 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 2b84d175703028351dbfadbe7547cebdaedf9b2ce5f8f92905349200f1a4d14c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 9218bc2e7253e101205169731d1cb815cf19af30e7ba80a3bd197216c2f4a66f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 65b7e6ceac493113a8f609367be8318407787361a849f3157ca7303f45ca5a86 2
@@ -777,3 +777,3 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 9fe26da6e849941f3033dd864fdb9ae4d544aebfac095192f20f38787152f101 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html ac5ab9f43b186ca33f62fe8dc3c822497034bbecc0c72b24b165d7eb118bf4c2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 65e9be72d36c64ce219bc94c620278a5d02d15cb5466b0d4a396f243a021ab88 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html e24fa81ec54e981bd9f15349a3ba3c088d1842e7752e804bb80f62f3c2c339a5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 7baf02867b5d32c025322e4e1626f60471616ba56e6ca91b36317d63ac8d9c2f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html c8f415457580c98fef1bbcddb1aceb3f5041197ad3120a631b07d8acff52d1c3 2
@@ -781,2 +781,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 0b2e5fc43f33edf7df5a6ece78d2f5ce8acd64d105955f892c38039cb3962a51 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 921398646233a53d550df05988c9354bb284efdce90490ae3dc5097a7c9cbb83 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 282bf89a06c5308e90d9b67531c631a8136c1517e963b1c83817edb776126ae6 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 418ba79d7932651a6816411c48911e8f1e5fb2a10b248ae076b6fda10f3bf682 2
@@ -784,2 +784,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 447937497ce7aef9a23e2aa4b94d488729343bb715da5d58c0ef2674d9fa54ef 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html d735d2022f84dc98bb9efaddefff502038d543953ccebe350841d7a48f27113b 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 344b6f336226f7a319e7f9522c72fcae8ccf8c61e6dd803a14ea0f1ba80d355c 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html d7674a383250cf838f7fafc18eb44791948cfe1f01b26a6d6cee7cf4e7723722 2
@@ -789,3 +789,3 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 0bf8040a6ca8fe0d9538fefec23ff3740868fd775a79e496d56e2ed3b4a99317 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 6195628df8d9a00fc5b419c0a1816c54ff13f7b7dd6b45616896fec6b78e6dd2 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 6a310607b926989718748c106d5f9bee161bfaea6053b619872ced7e653e8224 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 16acdf44885a52189f173040ec1a627b80b25930d388ca4b0a797416effa88a2 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 330a0826e785f59b7cd9fefc69dfd329bfc82e430f19c08d895602f72cc5551c 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 7562937452af9ab2867fbb603cca58d9f17b4f2fc2bf6c9cd31e7b1f784ba3b7 2
@@ -795,2 +795,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 55e432d29c39983b098fa24c6f1bab44069f5771fcad2ac9e31685fd6b718890 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html a510b31542b0715ca386023cef04cb6520772b4592c613efa8f49910259314cf 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 4a796b9154436ab91c461e464ca99967e232e032430284f5d82cb009a00e9934 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html baa7aba53e016213f15d69de8a1e8be1c1955fdbc41ccac85f2d38de94c3480f 2
@@ -800,2 +800,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html d7f12f3ff6a727f0af3c7282c9f3781e7d17489636c9ff7f435f1d3ae01b9729 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 80994a016a9d1ac5b2e180a47e4ca19574cebc015b6b2a1807492e6c0c0d914d 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 877114972e166d1332a7c51bfc66a35c45b1f9807f31a8019a810f3368d6ea1c 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html d19f3e72b434f0417dbf958f4e02c25e939ea23ef8c6ced6b4264f127d1973f8 2
@@ -806 +806 @@
-/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 63738a78c08bb03d0febcd5df6b408b1c62b89e45065f2753f963814540f5009 2
+/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 588317b2501168205f79ada3d61f5592419f5c239b4ce0dc9aa4ed7abb8675ee 2
@@ -812 +812 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 77d0adab89191c483d24a77efc71d421ce7e870a1a9ec8b7ed8b9d00fd8c421b 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 84ccaaf44b7159db560902279a2919c69bb13b40dea10e6807e35ad586c63a32 2
@@ -814,2 +814,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html ec010cd4dadca8f329c727357c72f7fc0997db20db8229c63d9d556f1e9ba8f9 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 53b1f80218407fbcaf4d49d1d04d4a7b82c7e2066a1ab64c1c889966f266ba39 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 5e134e2fbb7c3c0f01404b8b3e6b1df762f45d68bb9e56000ac16f1cddf2caf0 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 1429b26ca14d060a9b1a4e199a36559a0f388c9c9bfbacf1d8f5612ae8110b88 2
@@ -820,3 +820,3 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 9fcd6789c5028ec4358c774520d4638c93f397617f86519b9200d0d099059140 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html c1f1b75491fa81f6c36ea7571965dec97a8de07a143d6f04dd061a00ca638446 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 6a97a4ddfbb812bc507613eacd89744e6f1a1cd88c83272c2409fe9e808a6f46 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 7f529baf4e395af261fd08548fab6f648eb79beba7942fd6a5cb5825f9f9bd1d 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html c42584a093e5aedb6019fd1e48143643460ea6037c778b5fd8b95c14516f4ae6 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 47c2ecece4a1b92111b965ca1da9e8ed85b27b57f27349919f41ccadb0c8b936 2
@@ -832 +832 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 26db70d76c86c5c585285776dababcb44de698ea6120bee2164b07d36f0ac239 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html d93327621225c515873b6172d8275f834720b575f873d8de218019c23295c588 2
@@ -834,2 +834,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 30885099d9598c29d319511a997e647c32eeae0e96f702db1e8486da36804df7 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html e57d54c48557ce661dc34c020ba9772a2e573c7e12e0854eb8ea6ffc08910539 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 4f7be0e36f829b968b81bd804df36e2921cafd256e69e556f5c12f8202f08846 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html d01ea4cc9ac2cc353ffd3324a9bc9679f1910326b38c927a6ba72907d5a975e9 2
@@ -839,2 +839,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 4f2943cebcc3535086d213d3253137f0d1094b524fff7ff2652e240d1a81476b 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html a321b354a67873d32a4ad7fca093ccf1088694c3c7d75315d70a189d2669cfbf 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html a19ea33ba46e16abeed60e11e77b4aa227d105af8356277b9960b024c3e7e094 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 432dd8be0aebda100c56997ab0c02939723b3528f5ff06339b1f87834d5e356e 2
@@ -1128,2 +1128,2 @@
-/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 9db380110b44da4073a57146a5cfdd73008d30c1b6b283ed1bed508078ddf8db 0
-/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 5541b911d8243a1708164a1563f83dbf82238d682a9b1ee369af3881e900586e 0
+/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml baccaf841e4878f4d1e17c01382fbe95259b8267ddb0d43bfa539255cc2763aa 0
+/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml b01b84b1865ab822fb75bfc96806fc13bdce4350bfde9cd455fea29b11d47009 0
@@ -1133,9 +1133,9 @@
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 138c36b469013bbcee84684c92a3f6183626097cb4315d64555292a9d3afa862 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 1b596bd42f597948a1098050882df3d03dd11d14170f6865f6826162d56a8bc5 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 82f26a2f1f66070b8a84593b7af35f63c0c05580b71e90625a0fec0c98002c15 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 6111764b3f42ec3244ce96da2e997d81862f059b36b1ac2d9782596efc622f1d 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml f1561aea7422681d7c0148dafe90df4790a2687352ea02f825803eda0673bec1 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 72422ec28a215c7ca6042397e9b409c27da878fd8930b4d5e704a3f69a52fb71 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 60f3dc69b9e10b078151d819033395b6260f1ee592d9b46af27d5d85c0bd412f 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 0aca1573bdd8d0fcfb283d785ae60fbdbb75d92474d273831ae17fb81b090b42 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 59093478037e40a6aa70ca6b33084b7bc25285a4bb59e32ce63019c679a2d3b3 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 5da8f04b381b3da6d2eee6fb89446ad47c9074668c4b9c2d66cd1516261958de 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 1cce9cdde330464731ea2b0a0e3fe01a0842680f91102260dbcad4c180c2a0af 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2371d5dc9c0ef8b8a1874faf2cca7171373b3248bdeb2b3e0f394bad040ed9d3 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml ce7a104fe1c6bdfec7005740cb73dc05aaf1073fffbcbcaced8784836c587357 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 711f3240214db2772e3b25178511f3db99322f51579d862c440892062e92035e 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 6756a2cccacf01bfa4dd8c1bb8c9762f0513a77e0fded20cdb7d30654c6b33e0 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2d852a90c492e3770fb25fdc089618a585907580182436563ea4b5b5db66a671 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml d524b65561a7febf4c826a46d6c178f58ac1a6734dfa6f5aa3931d58cca78f63 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 7b0f9ca485e49fbe1485a0641dcc62feb19a9cf12b7714981b6efdfb0bd6081a 0
@@ -1144,3 +1144,3 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml c74af499a17ae0f006f94163d9fc527c776bc6f7444146a968b582d030fff0bd 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml c8df53840696624661eb167ae9f16b3e589c435664738691be8b9fb801a6e727 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml b7606616556258041df7ab17b488b83e8e137481beecde7e352565df72412727 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 321a080b27fbfec1c780cbfd0634aa7a731294294c7bf20e8b1b1ea1793e957d 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml b09d81e53ab02308190dc15bb223b3fcfec5efb0bca8398c69f015d59bac7ca7 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 98b5d2dfeaac246b358f2caba9da2002532ee74032d84c0948db10b27be6c9be 0
@@ -1148 +1148 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 38403a73470b3c79ebeba3e480892ef68801fc89fe1461043535c191b8c37911 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml e81c14ad24569e537bec7a512016c577298dffcb773170768f5283e587937e65 0
@@ -1151,3 +1151,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 5088774392807ee1f22ca5e6992440a021636027196483e11409f4ff71c03f34 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 4f22bed0e901fe3ed7c7ae0fc92905fd503cfbb91d442448294603ae20e1badb 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 74db79b0dc702ec20d659a334c3a550ff0abe32009303c3055779c18c0049445 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 950075b3afbaf45c6ee1326fd626e4271a6ad66206647d4c07f26f3fff903732 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 76e859669aaf3ef69aa83ac23c2bbb0a670678863128947724f6fc958313b6bc 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 965627d7b1503178be94d927345571415881a442ecfac9b94c6a307b3b2c8943 0
@@ -1155 +1155 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml e08b74b40d1c6929019421df39c19d8b89d3583b1ba6bad87f38619a3dc4dc73 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 9d42f83934a3e2bcf6abe9976e8ef950dfda10eeaad7a9f108b91e26257b1aa5 0
@@ -1158,3 +1158,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 6e6e7ad20cc55b11ac2e654fb18ebc3a76b77594f36011696f428ab8f816c9a8 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2048ae466a9986de94466898d52361711b2711bff57ed25655c2e5e8cf3f5491 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml c4b803bf5d864c8299b9b2e9375f127a6bb1ac3ee0183360dd4b534fc8735675 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 4c8f75ffdfd15daabe4d8c6f2b8578ad869cfffff09d6fedfbedd602d011348a 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 484baea4fb89ad81a198740b58c94a4cddfefd0a1aa47665a7c8f8e3e7e58550 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 5b8d419a97b4a213f6d3bf18577539b36c42fbc4588801df13d68e8ac4b76ee4 0
@@ -1162 +1162 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 0c701b499a12c1920261783707f5661ba561880e8234beb1f33d60113233c966 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml ebdebd05f39d17509fe94ec933e2edaeb99bd06a49021e62dd852a43d45b01bc 0
@@ -1165,3 +1165,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 200eef7948068ceb01389dc84532e539e31e11e637c73fd0defe1a1cd896e92f 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 977f28817b3b09958699c64b2517bd8ee5cc25ad8a988deb7be94884a1062586 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 0af5ee39396660d0d75e02e8cb8b69f7dcd604d3f6a01e9d6f6957d70ceb607e 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 00c6df00a6eb2235406ba99da57be25d57c6c760c9d13ec50e8c6a56e1992139 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 7af7a66462e6b425bd8faee8abb1636af19fa6ee655d58f76f0f9837e2e16bb1 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml a247fa28e9ca023cb62ad8c46e3ad15d2f44b62db93087e54c663d8e666cd097 0
@@ -1169 +1169 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml cc60aa7cc0b2c2f839a7f2d5086faf0c0809227a6774a9a5f48cf17ffacbd51d 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 46b22b2709321f2ed4a245fae9437498908cc8ba781443877dff55e5ece56e5d 0
@@ -1172,3 +1172,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 58e51c82d6fa2a2c16355340d8df858cb34a8f1650f0fde133df9c81a10641b9 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml bdeacc091e2960c6295ed9b3658c41b7d2de162936fb01407f2e6a9a6e83749e 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml a6d86baed004379a10730d7e3d23d6f501a67dd929286a73562dff7f0d7ce2c8 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 07d2884c8df1b2552ea3d7ab707362b41935e7df9e86f0af74f3862f1b4ed8f1 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 8ac74335d8bdd37ecd35570babff25f0493925c512001b99bac935e9cc45007b 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml f08255f56c44a98be61c297c3705022f3b4ad0ea8dada77f0a5a27e94a33919a 0
@@ -1176 +1176 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 608842405040f082038e62c2ca739fb17df78223192cb3de6b64b39e5daa8109 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 4ea5dc91623e2c79482ef5a93745278b2765fd88a25899ee9292b2f73d98a07f 0
@@ -1179,3 +1179,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml c0ce886bf4d48c3bcf80191e7decdb8682b6f2f51e47ca17ab8f768da74a53cf 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml ac20391a7bf2706e97e22728c68d3b26ad1bc2dcff0b50e31f143f6e07c5e5d5 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml e9173260c28a581e9ea4cb15b3bee5f48337e81fb3fce637e8843a8a713728f8 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 3d060121af675f9ae66acef810a88044a00c634c2507ca2cf8a74938fb0692ea 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml db37b4d461f7282f680771c82db94078d79c52ebfcafe66fd3380c8ef3e9700e 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 66cedf86166631fb1ed784ef46b87da22351429c05eaec2e5c1f0d366dd45bf0 0
@@ -1183 +1183 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml d8264a10c1642f88247bd908d696433341783651b535e43e64f824979ca57c4c 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 4d09d43106c08545966f298be4f45ceb970b54b6809a9244a1b26d2b2cb564f6 0
@@ -1186,3 +1186,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml a559a2a2ab47b59f80f9960770eb06a5790814521a877fba8fd1f415d24d89eb 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 8d9a3ab69b5997ba2e57172cd821cdcab1d0a792baaadcad0dddf3d8f9977df4 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 253aa1f838c6da1df921db8daacb96dec1889c5db6d1161018ac395e2a239e13 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 5472084002be2f1720c6f8a523e70dd6c5eebf68f04b62e9ba16acd172f705fa 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 60d2873686ee5d8441dc6367f091eaa4f34b5fed22313617ea51190db2d3ad2e 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 41f075ef3ec726867731a3f827cc5a49f0def3d4717cd2e6a898af5fdf46c711 0
@@ -1190 +1190 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml caea1c70678d2e4353606ee3decb5d2416337e4a729ac3d91f1150d23b99baf7 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 8a1da71d0b1932b4cb11226ab0742ad126546753884f170644da0bc294ab7f28 0
@@ -1193,3 +1193,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml b3c0e3b2fdfc307a97a99ef1016fd713e8088e7f51f2d3c31bf3e1175834bc0b 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 58ff385d411268c171115376da75e92c5627ff9eb26fb3ef565cbd800a6912c8 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml acd5b28093ee532af46d719b6521ba8d64144d00e625f021bd677fb84fccbf18 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2bcd1554a38d721ac67429974390870a27eb23539f91f2e33555ac0cb11fab64 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml c68d476fbe0cc04112b02e32405eefd0c22270d805ca4d2700b4245be0711a2d 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 5e0eb4b8bfefe5dffa9f3f1571dba798840b2e518e42df9d1093ed3d66575bdc 0
@@ -1197 +1197 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 642578fe4bd702506584b2e80b7cc3dda600a045c1f3da9dead9b396ed945d16 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 3f09bd5950dee1270a8e662596c577118f63f2f2a36913663a3a3d666f5d11e4 0
@@ -1200,3 +1200,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 81124be3aa0552e47350ae7688827d80268a1a6eb62659a61a6cfafdd6d424eb 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 82c9c6a5e6470b60a48fbee7d3d10f583855a5cfaa4321b8cdd69d276df0cb73 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml af0bd6b2858e52ab82e66fed6fd597a3e30b466e705b0698b5b2bdeda8d22c52 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml dcbe8f7f2ed4d5d555c5816ec5281a78b17b2b21528a439a2d0648328debad56 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 75a0d6755e5e7f628fce4bd3e8d3f78770896fcc602fc43197d12a72da0a977b 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 5b0ba45c230d96ad19eb22922eb024e8e0563601e12e9feec1d12372241fa847 0
@@ -1204,4 +1204,4 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 1f638694330ea9e87e0687830dde8d0307225bfee1820ff7e7bd58cdf8a431e9 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 75919dcbde7cd86cf370d2008d90e7d42f7818cff797bdb54a28419b005c9c36 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 9d1208ca085cbecd5c7d0b08e8616fbb0c6886287ba0ac78ff9a1820e835232c 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 62cedb0923aad0fe1baef6097e0943305b9bfdbaa98bd4856621b1cab087f57c 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 8f3f9215e56e8cb1caf04c0d67f6bc198c7cdc2a5021c0f564bc44453a4a47ee 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml c1ef45df01b945c6695fa4c7964b2ff20c54279e78667a042c096acadab6a759 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 428e4fe797bb67fed8385568eb1e16561b39363b21ecf45bc91417530c3e9de4 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml ec8679287f419c4d870f71aa50fdb491778a6d6f53cbae8b4933418e08ae037c 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -284,6 +276,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -308,32 +308,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -461,15 +447,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -495,20 +495,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -598,24 +598,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -143,15 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -310,32 +310,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
/var/log in its own partition
enables better separation between log files
and other files in /var/.References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15
+ BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /var/log
+
[[customizations.filesystem]]
mountpoint = "/var/log"
size = 5368709120
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /var/log
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -471,12 +471,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, 1.1.16, SV-204495r603261_rule | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r603261_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
-else
- # \n is precaution for case where file ends without trailing newline
- cce=""
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
- printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
+ BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r603261_rule| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -595,6 +563,38 @@
- low_complexity
- medium_disruption
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/yum.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
+ "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
+else
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -279,6 +271,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1, SV-251710r809354_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1, SV-251710r809354_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -453,15 +439,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -487,20 +487,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -590,24 +590,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -143,15 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -305,32 +305,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -542,6 +524,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -551,10 +551,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, SV-230223r792855_rule | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
Rule Configure Libreswan to use System Crypto Policy [ref] | |||||||||||||||||||||||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -583,17 +583,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | |||||||||||||||||||||||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | ||||||||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, SV-230223r792855_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -187,20 +187,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
/home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -317,12 +317,12 @@
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -330,12 +330,12 @@
logical volume at installation time, or migrate it using LVM. | |||||||||||||
| Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | ||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -345,12 +345,12 @@
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log Located On Separate Partition [ref] | |||||||||||||
System logs are stored in the /var/log directory.
@@ -359,12 +359,12 @@
volume at installation time, or migrate it using LVM. | |||||||||||||
| Rationale: | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. | ||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||||||||||||
| Identifiers and References | References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -377,12 +377,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/tmp Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /var/tmp directory is a world-writable directory used
@@ -390,12 +390,12 @@
logical volume at installation time, or migrate it using LVM. | |||||||||||||||||||||||||||||||||||||
| Rationale: | The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_tmp | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R12), SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -187,20 +187,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,24 +290,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Notification of Post-AIDE Scan Details [ref] | |||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -574,12 +574,12 @@
mountpoint can instead be configured later. | |||||||||||||
| Rationale: | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | ||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | ||||||||||||
| Identifiers and References | References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -590,12 +590,12 @@
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -603,12 +603,12 @@
logical volume at installation time, or migrate it using LVM. | |||||||||||||
| Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | ||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /var directory is used by daemons and other system
@@ -618,12 +618,12 @@
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 2022-06-27 00:00:00.000000000 +0000
@@ -124,21 +124,7 @@
[ref] | |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -187,20 +187,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
/home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -317,12 +317,12 @@
that /srv is mounted on its own partition enables the setting of
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -330,12 +330,12 @@
logical volume at installation time, or migrate it using LVM. | |||||||||||||
| Rationale: | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | ||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -345,12 +345,12 @@
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log Located On Separate Partition [ref] | |||||||||||||
System logs are stored in the /var/log directory.
@@ -359,12 +359,12 @@
volume at installation time, or migrate it using LVM. | |||||||||||||
| Rationale: | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. | ||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||||||||||||
| Identifiers and References | References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -377,12 +377,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/tmp Located On Separate Partition [ref] | |||||||||||||
The /var/tmp directory is a world-writable directory used
@@ -390,12 +390,12 @@
logical volume at installation time, or migrate it using LVM. | |||||||||||||
| Rationale: | The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_tmp | ||||||||||||
| Identifiers and References | References: - BP28(R12), SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo dnf install dnf-automatic
dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.References: - BP28(R8), SRG-OS-000191-GPOS-00080
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "dnf-automatic" ; then
- dnf install -y "dnf-automatic"
-fi
-
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
+ BP28(R8), SRG-OS-000191-GPOS-00080| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -255,15 +247,23 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
class install_dnf-automatic {
package { 'dnf-automatic':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=dnf-automatic
+
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+if ! rpm -q --quiet "dnf-automatic" ; then
+ dnf install -y "dnf-automatic"
+fi
Rule Configure dnf-automatic to Install Available Updates Automatically [ref] | |||||||
To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | |||||||
| Rationale: | Installing software updates is a fundamental mitigation against
@@ -355,39 +355,7 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | ||||||
| Identifiers and References | References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule - Ensure gpgcheck Enabled for Local Packages - [ref] | |||||||||||||||||||||||||||||||||||||
dnf should be configured to verify the signature(s) of local packages
-prior to installation. To configure dnf to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
- -Accordingly, patches, service packs, device drivers, or operating system components must -be signed with a certificate recognized and approved by the organization. | ||||||||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲ | |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -180,24 +180,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FUTURE'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FUTURE
tags:
@@ -396,6 +378,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FUTURE'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -405,11 +405,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /tmp directory is a world-writable directory used
@@ -472,12 +472,12 @@
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
@@ -120,21 +120,7 @@
[ref] | |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -180,24 +180,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -396,6 +378,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -405,11 +405,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
aide package can be installed with the following command:
$ sudo dnf install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -149,15 +135,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -180,24 +180,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -396,6 +378,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -405,11 +405,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
aide package can be installed with the following command:
$ sudo dnf install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -149,15 +135,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -180,24 +180,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FUTURE'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FUTURE
tags:
@@ -396,6 +378,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FUTURE'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -405,11 +405,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /tmp directory is a world-writable directory used
@@ -472,12 +472,12 @@
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 2022-06-27 00:00:00.000000000 +0000
@@ -134,21 +134,7 @@
[ref] | |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
References: - FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "crypto-policies" ; then
- dnf install -y "crypto-policies"
-fi
-
-[[packages]]
-name = "crypto-policies"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
+ FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -265,15 +257,23 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
class install_crypto-policies {
package { 'crypto-policies':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=crypto-policies
+
+[[packages]]
+name = "crypto-policies"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+if ! rpm -q --quiet "crypto-policies" ; then
+ dnf install -y "crypto-policies"
+fi
Rule Configure BIND to use System Crypto Policy [ref] | |||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -325,25 +325,7 @@
submits to this process. | |||||||
| Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | ||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -395,10 +395,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
Rule Configure Libreswan to use System Crypto Policy [ref] | |||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -426,17 +426,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | |||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | ||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | ||||||||||||
| Identifiers and References | References: - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -299,32 +299,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT:NO-SHA1'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT:NO-SHA1
tags:
@@ -509,6 +491,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT:NO-SHA1'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -518,11 +518,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108
| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: Read list of files with incorrect permissions
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nouser --nogroup
args:
@@ -290,6 +265,31 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_permissions
+| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+ # NOTE: some files maybe controlled by more then one package
+ readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+ for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+ do
+ # Use an associative array to store packages as it's keys, not having to care about duplicates.
+ SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+ done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+ rpm --restore "${RPM_PACKAGE}"
+done
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -392,6 +374,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -401,11 +401,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/org/gnome/Vino/authentication-methodsAfter the settings have been set, run
dconf update.References: - 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
- if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${SETTINGSFILES[@]}"
- else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-if [[ -z "${LOCKFILES}" ]]
-then
- echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
+ 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -619,22 +574,7 @@
- medium_severity
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 2022-06-27 00:00:00.000000000 +0000
@@ -178,28 +178,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108
| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --setugids "${RPM_PACKAGE}"
-done
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: Read list of files with incorrect ownership
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: Read list of files with incorrect ownership
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nomode
args:
@@ -279,6 +258,27 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_ownership
+| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+ RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
+ # Use an associative array to store packages as it's keys, not having to care about duplicates.
+ SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+ rpm --setugids "${RPM_PACKAGE}"
+done
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo dnf install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -452,15 +438,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000
@@ -124,21 +124,7 @@
[ref]aide package can be installed with the following command:
$ sudo dnf install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -153,15 +139,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
References: - FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "crypto-policies" ; then
- dnf install -y "crypto-policies"
-fi
-
-[[packages]]
-name = "crypto-policies"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
+ FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -255,15 +247,23 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
class install_crypto-policies {
package { 'crypto-policies':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=crypto-policies
+
+[[packages]]
+name = "crypto-policies"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+if ! rpm -q --quiet "crypto-policies" ; then
+ dnf install -y "crypto-policies"
+fi
Rule Configure BIND to use System Crypto Policy [ref] | |||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -315,25 +315,7 @@
submits to this process. | |||||||
| Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | ||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -385,10 +385,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
Rule Configure Libreswan to use System Crypto Policy [ref] | |||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -416,17 +416,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | |||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | ||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | ||||||||||||
| Identifiers and References | References: - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo dnf install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -322,15 +308,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -356,20 +356,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||||||||||||||||||||||||||||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -459,24 +459,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||||||||||||||||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,7 +189,76 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -195,7 +195,76 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||||||||
| Identifiers and References | References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||||||||||||||
| Severity: | high | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||||||||||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-var_system_crypto_policy='FIPS'
-
-
-fips-mode-setup --enable
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -417,6 +391,32 @@
- medium_disruption
- reboot_required
- restrict_strategy
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_system_crypto_policy='FIPS'
+
+
+fips-mode-setup --enable
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -544,6 +526,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -553,10 +553,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
Rule Configure Libreswan to use System Crypto Policy [ref] | |||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -584,17 +584,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | |||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | ||||||
| Identifiers and References | References: - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -294,32 +294,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo dnf install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -443,15 +429,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -477,20 +477,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -580,24 +580,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -133,15 +133,7 @@
$ sudo rpm -Uvh PACKAGENAME | |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -295,32 +295,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-/usr/sbin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Ensure AIDE is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Ensure AIDE is installed
package:
name: '{{ item }}'
state: present
@@ -516,6 +503,19 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+/usr/sbin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -643,6 +625,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||||||||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -652,10 +652,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -431,15 +417,29 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=sudo
+
+[[packages]]
+name = "sudo"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure sudo Runs In A Minimal Environment - sudo env_reset [ref] | |||||||||||||
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -448,27 +448,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | ||||||||||||
| Identifiers and References | References: - BP28(R58) | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot - [ref] | |||||||||||||||||||||||||||||||||||||
The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R58) | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,24 +282,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r603260_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Notification of Post-AIDE Scan Details [ref] | |||||||||||||||||||||||||||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -419,40 +419,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201, OL07-00-020040, SV-221709r603260_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -431,15 +417,29 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=sudo
+
+[[packages]]
+name = "sudo"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure sudo Runs In A Minimal Environment - sudo env_reset [ref] | |||||||||||||
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -448,27 +448,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | ||||||||||||
| Identifiers and References | References: - BP28(R58) | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot - [ref] | |||||||||||||
The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | ||||||||||||
| Identifiers and References | References: - BP28(R58) | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r603260_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r603260_rule | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r603260_rule | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
-else
- # \n is precaution for case where file ends without trailing newline
-
- printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
+ BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -330,17 +299,7 @@
- low_complexity
- medium_disruption
- no_reboot_needed
-Rule - Ensure gpgcheck Enabled for Local Packages - [ref] | |||||
yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. | |||||
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
- -Accordingly, patches, service packs, device drivers, or operating system components must -be signed with a certificate recognized and approved by the organization. | ||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | ||||
| Identifiers and References | References: - BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020060, SV-221711r603260_rule | ||||
Remediation Shell script ⇲
| |||||
Rule + Ensure gpgcheck Enabled for Local Packages + [ref] | |||||||
yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. | |||||||
| Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+ +Accordingly, patches, service packs, device drivers, or operating system components must +be signed with a certificate recognized and approved by the organization. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | ||||||
| Identifiers and References | References: + BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020060, SV-221711r603260_rule | ||||||
Remediation Ansible snippet ⇲
| |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -456,15 +442,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -490,20 +490,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -593,24 +593,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 2022-06-27 00:00:00.000000000 +0000
@@ -141,17 +141,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | ||||||
| Identifiers and References | References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Enable FIPS Mode in GRUB2 [ref] | |||||||||
To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -212,72 +212,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||||
| Severity: | high | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | ||||||||
| Identifiers and References | References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r603260_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-06-27 00:00:00.000000000 +0000
@@ -138,15 +138,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -281,6 +273,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -300,28 +300,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -428,32 +428,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r603260_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r603260_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
@@ -608,33 +593,33 @@
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
-Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r603260_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -308,32 +308,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
/org/gnome/Vino/authentication-methodsAfter the settings have been set, run
dconf update.References: - 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
- if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${SETTINGSFILES[@]}"
- else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-if [[ -z "${LOCKFILES}" ]]
-then
- echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
+ 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -616,22 +571,7 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-Rule - Require Encryption for Remote Access in GNOME3 - [ref] | |||||||
By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
-require-encryption to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
-[org/gnome/Vino] -require-encryption=true --Once the settings have been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/Vino/require-encryption-After the settings have been set, run dconf update. | |||||||
| Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
-remotely. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | ||||||
| Identifiers and References | References: - 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | ||||||
Remediation Shell script ⇲ | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | ||||||
| Identifiers and References | References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Enable FIPS Mode in GRUB2 [ref] | |||||||||
To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -203,72 +203,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||||
| Severity: | high | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | ||||||||
| Identifiers and References | References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r603260_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
@@ -132,15 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -275,6 +267,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -299,32 +299,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -452,15 +438,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -486,20 +486,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||||||||||||||||||||||||||||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -589,24 +589,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 2022-06-27 00:00:00.000000000 +0000
@@ -94,15 +94,7 @@
$ sudo yum install glibc | |||||||||||||||||||||||||||||||||||||
| Rationale: | The glibc package contains standard C and math libraries used by
multiple programs on Linux. The glibc shipped with first release
of each major Linux version is often not sufficient for SAP.
-An update is required after the first OS installation. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | |||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Package uuidd Installed [ref] | |||||||||||||||||||||||||||||||||||||
The package uuidd is not installed on normal Linux distribution
@@ -134,15 +134,7 @@
$ sudo yum install uuidd | |||||||||||||||||||||||||||||||||||||
| Rationale: | The uuidd package contains a userspace daemon (uuidd) which is
used to generate unique identifiers even at very high rates on
-SMP systems. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | |||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Only sidadm and orasid/oracle User Accounts Exist on Operating System [ref] | |||||||||||||
SAP tends to use the server or virtual machine exclusively. There should be only
@@ -318,12 +318,7 @@
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow | ||||||||||||
| Identifiers and References | References: - BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | disable |
-# CAUTION: This remediation script will remove ypbind
-# from the system, and may remove any packages
-# that depend on ypbind. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-if rpm -q --quiet "ypbind" ; then
-
- yum remove -y "ypbind"
-
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | disable |
- name: Ensure ypbind is removed
+ BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | disable |
- name: Ensure ypbind is removed
package:
name: ypbind
state: absent
@@ -425,15 +413,27 @@
- no_reboot_needed
- package_ypbind_removed
- unknown_severity
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | disable |
include remove_ypbind
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | disable |
include remove_ypbind
class remove_ypbind {
package { 'ypbind':
ensure => 'purged',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | disable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | disable |
package --remove=ypbind
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | disable |
+# CAUTION: This remediation script will remove ypbind
+# from the system, and may remove any packages
+# that depend on ypbind. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+if rpm -q --quiet "ypbind" ; then
+
+ yum remove -y "ypbind"
+
+fi
Rule Uninstall ypserv Package [ref] | |||||||||||||||||||||||||||||||
The ypserv package can be removed with the following command:
@@ -444,19 +444,7 @@
Removing the ypserv package decreases the risk of the accidental
(or intentional) activation of NIS or NIS+ services. | |||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_ypserv_removed | ||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, OL07-00-020010, SV-221705r603260_rule | ||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||||||||||||||||||||||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | ||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -301,32 +301,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
-else
- # \n is precaution for case where file ends without trailing newline
-
- printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
+ BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -577,6 +546,37 @@
- low_complexity
- medium_disruption
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/yum.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
+ "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure Oracle Linux GPG Key Installed [ref] | |||||||||||||||||
To ensure the system can cryptographically verify base software
@@ -649,10 +649,7 @@
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | |||||||||||||||||
| Severity: | medium | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | ||||||||||||||||
| Identifiers and References | References: - BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, OL07-00-020260, SV-221720r603260_rule | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -276,6 +268,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -295,28 +295,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -423,32 +423,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -576,15 +562,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 2022-06-27 00:00:00.000000000 +0000
@@ -139,15 +139,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -282,6 +274,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -301,28 +301,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -429,32 +429,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r646955_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r809183_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -582,15 +568,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,21 +115,7 @@
[ref]aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -145,15 +131,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -431,15 +417,29 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=sudo
+
+[[packages]]
+name = "sudo"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure sudo Runs In A Minimal Environment - sudo env_reset [ref] | |||||||||||||
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -448,27 +448,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | ||||||||||||
| Identifiers and References | References: - BP28(R58) | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot - [ref] | |||||||||||||||||||||||||||||||||||||
The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R58) | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,24 +282,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Notification of Post-AIDE Scan Details [ref] | |||||||||||||||||||||||||||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -414,40 +414,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201, OL08-00-010360, SV-248573r779285_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -179,20 +179,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
References: - BP28(R19), 1382, 1384, 1386, CM-6(a), SRG-OS-000324-GPOS-00125
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "sudo"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure sudo is installed
package:
name: sudo
state: present
@@ -431,15 +417,29 @@
- medium_severity
- no_reboot_needed
- package_sudo_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_sudo
class install_sudo {
package { 'sudo':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=sudo
+
+[[packages]]
+name = "sudo"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure sudo Runs In A Minimal Environment - sudo env_reset [ref] | |||||||||||||
The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -448,27 +448,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | ||||||||||||
| Identifiers and References | References: - BP28(R58) | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot - [ref] | |||||||||||||
The sudo ignore_dot tag, when specified, will ignore the current directory
-in the PATH environment variable.
-This should be enabled by making sure that the ignore_dot tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
-downloaded locally. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | ||||||||||||
| Identifiers and References | References: - BP28(R58) | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010381, SV-248582r779312_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r779309_rule | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r779309_rule | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install dnf-automatic
dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.References: - BP28(R8), SRG-OS-000191-GPOS-00080
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "dnf-automatic" ; then
- yum install -y "dnf-automatic"
-fi
-
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
+ BP28(R8), SRG-OS-000191-GPOS-00080| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -250,15 +242,23 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
class install_dnf-automatic {
package { 'dnf-automatic':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=dnf-automatic
+
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+if ! rpm -q --quiet "dnf-automatic" ; then
+ yum install -y "dnf-automatic"
+fi
Rule Configure dnf-automatic to Install Available Updates Automatically [ref] | |||||||||
To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | |||||||||
| Rationale: | Installing software updates is a fundamental mitigation against
@@ -268,7 +268,24 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | ||||||||
| Identifiers and References | References: - BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | ||||||||
Remediation Ansible snippet ⇲
| |||||||||
Rule + Configure dnf-automatic to Install Only Security Updates + [ref] | |||||
To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf. | |||||
| Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | ||||
| Severity: | low | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | ||||
| Identifiers and References | References: + BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | ||||
Remediation Ansible snippet ⇲
| |||||
Rule
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 2022-06-27 00:00:00.000000000 +0000
@@ -136,15 +136,7 @@
| |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -298,32 +298,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -448,15 +434,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -482,20 +482,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||||||||||||||||||||||||||||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -585,24 +585,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 2022-06-27 00:00:00.000000000 +0000
@@ -125,21 +125,7 @@
[ref] | |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r779138_rule
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-fips-mode-setup --enable
-FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
- echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
+ CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r779138_rule| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
changed_when: false
@@ -272,6 +260,18 @@
- medium_disruption
- reboot_required
- restrict_strategy
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+fips-mode-setup --enable
+FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
+if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
+ echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Enable FIPS Mode [ref] | |||||||||
To enable FIPS mode, run the following command:
@@ -288,33 +288,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||||
| Severity: | high | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | ||||||||
| Identifiers and References | References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r779138_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
References: - FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
-[[packages]]
-name = "crypto-policies"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
+ FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -444,15 +436,23 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
class install_crypto-policies {
package { 'crypto-policies':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=crypto-policies
+
+[[packages]]
+name = "crypto-policies"
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 2022-06-27 00:00:00.000000000 +0000
@@ -138,15 +138,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -276,6 +268,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -295,28 +295,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -420,32 +420,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r779138_rule
-var_system_crypto_policy='DEFAULT:NO-SHA1'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r779138_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT:NO-SHA1
tags:
@@ -632,6 +614,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT:NO-SHA1'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 2022-06-27 00:00:00.000000000 +0000
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -279,6 +271,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r779138_rule
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r779138_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -515,6 +497,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -524,11 +524,7 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093, OL08-00-010287, SV-248560r779246_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/org/gnome/Vino/authentication-methodsAfter the settings have been set, run
dconf update.References: - 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
- if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000
@@ -116,21 +116,7 @@
[ref]aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,15 +132,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r779138_rule
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-fips-mode-setup --enable
-FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
- echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
+ CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r779138_rule| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
changed_when: false
@@ -263,6 +251,18 @@
- medium_disruption
- reboot_required
- restrict_strategy
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+fips-mode-setup --enable
+FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
+if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
+ echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Enable FIPS Mode [ref] | |||||||||
To enable FIPS mode, run the following command:
@@ -279,33 +279,7 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||||
| Severity: | high | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | ||||||||
| Identifiers and References | References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r779138_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
References: - FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
-[[packages]]
-name = "crypto-policies"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
+ FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -435,15 +427,23 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
class install_crypto-policies {
package { 'crypto-policies':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=crypto-policies
+
+[[packages]]
+name = "crypto-policies"
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
@@ -132,15 +132,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -270,6 +262,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -294,32 +294,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -444,15 +430,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -478,20 +478,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -581,24 +581,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -134,15 +134,7 @@
$ sudo rpm -Uvh PACKAGENAME | |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -296,32 +296,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r779138_rule
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r779138_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -533,6 +515,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -542,10 +542,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, OL08-00-010020, SV-248524r779138_rule | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
Rule Configure Libreswan to use System Crypto Policy [ref] | |||||||||||||||||||||||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -574,17 +574,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | |||||||||||||||||||||||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | ||||||||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, OL08-00-010020, SV-248524r779138_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||||||||||||||||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -170,7 +170,80 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r779996_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
The aide package can be installed with the following command:
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010360, SV-248573r779285_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -176,7 +176,80 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||||||||
| Identifiers and References | References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r779996_rule | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||||||||||||||
| Severity: | high | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||||||||||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -296,32 +296,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -531,6 +513,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -540,10 +540,7 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
Rule Configure Libreswan to use System Crypto Policy [ref] | |||||||||||||||||||||||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -571,17 +571,7 @@
include /etc/crypto-policies/back-ends/libreswan.config | |||||||||||||||||||||||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | ||||||||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | References: - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27096-7 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -183,24 +183,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-26952-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Disable Prelinking [ref] | |||||||
The prelinking feature changes binaries in an attempt to decrease their startup
@@ -317,22 +317,7 @@
$ sudo /usr/sbin/prelink -ua | |||||||
| Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | ||||||
| Identifiers and References | Identifiers: CCE-27078-5 References: - 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.5.4 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-80144-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -417,12 +417,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-82053-0 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -433,12 +433,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-82014-2 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule
Ensure /var/log Located On Separate Partition
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 2022-06-27 00:00:00.000000000 +0000
@@ -116,21 +116,7 @@
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27096-7 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -182,20 +182,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
/boot partition contains the kernel and bootloader files.
Access to this partition should be restricted.Identifiers: CCE-83333-5
References: - BP28(R12)
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /boot
+
[[customizations.filesystem]]
mountpoint = "/boot"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /boot
Rule Ensure /home Located On Separate Partition [ref] | |||||||||||||
If user home directories will be stored locally, create a separate partition
@@ -316,12 +316,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | ||||||||||||
| Identifiers and References | Identifiers: CCE-80144-9 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /opt Located On Separate Partition [ref] | |||||||||||||
It is recommended that the /opt directory resides on a separate
@@ -330,12 +330,12 @@
makes it easier to apply restrictions e.g. through the nosuid mount
option. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | ||||||||||||
| Identifiers and References | Identifiers: CCE-83339-2 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -347,12 +347,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | Identifiers: CCE-83376-4 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -361,12 +361,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-82053-0 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /usr Located On Separate Partition [ref] | |||||||||||||
It is recommended that the /usr directory resides on a separate
@@ -374,12 +374,12 @@
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | ||||||||||||
| Identifiers and References | Identifiers: CCE-83342-6 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /var directory is used by daemons and other system
@@ -390,12 +390,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||||||||||||||||||||||||||
| Severity: | low | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-82014-2 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | ||||||||||||||||||||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27096-7 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -182,20 +182,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,24 +290,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-26952-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Notification of Post-AIDE Scan Details [ref] | |||||||||||||||||||||||||||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -433,40 +433,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80374-2 References: - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201, RHEL-07-020040, SV-204446r603261_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27096-7 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -182,20 +182,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
/boot partition contains the kernel and bootloader files.
Access to this partition should be restricted.Identifiers: CCE-83333-5
References: - BP28(R12)
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /boot
+
[[customizations.filesystem]]
mountpoint = "/boot"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /boot
Rule Ensure /home Located On Separate Partition [ref] | |||||||||||||
If user home directories will be stored locally, create a separate partition
@@ -316,12 +316,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | ||||||||||||
| Identifiers and References | Identifiers: CCE-80144-9 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /opt Located On Separate Partition [ref] | |||||||||||||
It is recommended that the /opt directory resides on a separate
@@ -330,12 +330,12 @@
makes it easier to apply restrictions e.g. through the nosuid mount
option. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | ||||||||||||
| Identifiers and References | Identifiers: CCE-83339-2 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -347,12 +347,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | Identifiers: CCE-83376-4 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -361,12 +361,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-82053-0 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /usr Located On Separate Partition [ref] | |||||||||||||
It is recommended that the /usr directory resides on a separate
@@ -374,12 +374,12 @@
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | ||||||||||||
| Identifiers and References | Identifiers: CCE-83342-6 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -390,12 +390,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-82014-2 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | Identifiers: CCE-80350-2 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r603261_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | Identifiers: - CCE-80351-0 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010340, SV-204429r603261_rule | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | Identifiers: + CCE-80351-0 References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010340, SV-204429r603261_rule | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Identifiers: CCE-26989-4
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
-else
- # \n is precaution for case where file ends without trailing newline
- cce="CCE-26989-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
- printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
+ BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -340,18 +308,7 @@
- low_complexity
- medium_disruption
- no_reboot_needed
-Rule - Ensure gpgcheck Enabled for Local Packages - [ref] | |||||
yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. | |||||
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
- -Accordingly, patches, service packs, device drivers, or operating system components must -be signed with a certificate recognized and approved by the organization. | ||||
| Severity: | high | ||||
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | ||||
| Identifiers and References | Identifiers: - CCE-80347-8 References: - BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020060, SV-204448r603261_rule | ||||
Remediation Shell script ⇲
| |||||
Rule + Ensure gpgcheck Enabled for Local Packages + [ref] | |||||||||||||||||||||||||||||||||||||
yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+ +Accordingly, patches, service packs, device drivers, or operating system components must +be signed with a certificate recognized and approved by the organization. | ||||||||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: + CCE-80347-8 References: /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-06-27 00:00:00.000000000 +0000 @@ -115,21 +115,7 @@ $ sudo yum install aide | ||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27096-7 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -181,20 +181,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,24 +289,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-26952-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-80144-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -461,12 +461,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-82053-0 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -477,12 +477,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-82014-2 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
System logs are stored in the /var/log directory.
@@ -492,12 +492,12 @@
enables better separation between log files
and other files in /var/. | |||||||||||||||||||||||||||||||||||||
| Severity: | low | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000 @@ -115,21 +115,7 @@ $ sudo yum install aide | ||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27096-7 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -181,20 +181,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,24 +289,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-26952-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.Identifiers: CCE-82053-0
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
Identifiers: CCE-80106-8
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
- printf '%s=%s\n' "disable-user-list" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
- if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${SETTINGSFILES[@]}"
- else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,21 +115,7 @@
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,15 +132,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -181,20 +181,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,24 +289,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-26952-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.Identifiers: CCE-82053-0
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
Identifiers: CCE-80106-8
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
- printf '%s=%s\n' "disable-user-list" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
- if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${SETTINGSFILES[@]}"
- else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,21 +115,7 @@
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,15 +132,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -181,20 +181,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,24 +289,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-26952-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-80144-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, 1.1.17, SV-204493r603840_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -461,12 +461,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-82053-0 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -477,12 +477,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-82014-2 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log Located On Separate Partition [ref] | |||||||
System logs are stored in the /var/log directory.
@@ -492,12 +492,12 @@
enables better separation between log files
and other files in /var/. | |||||||
| Severity: | low | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||||||
| Identifiers and References | Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 2022-06-27 00:00:00.000000000 +0000 @@ -137,15 +137,7 @@ information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | Identifiers: CCE-27157-7 References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -310,32 +310,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -468,15 +454,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -503,20 +503,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -611,24 +611,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 2022-06-27 00:00:00.000000000 +0000 @@ -142,17 +142,7 @@ standards approved by the federal government since this provides assurance they have been tested and validated. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | ||||||
| Identifiers and References | Identifiers: CCE-80358-5 References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Enable FIPS Mode in GRUB2 [ref] | |||||||||
To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -215,72 +215,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||||
| Severity: | high | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | ||||||||
| Identifiers and References | Identifiers: CCE-80359-3 References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-26989-4
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-06-27 00:00:00.000000000 +0000
@@ -139,15 +139,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-27157-7
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -287,6 +279,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -307,28 +307,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | Identifiers: CCE-80545-7 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -439,32 +439,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Identifiers: CCE-80350-2
References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r603261_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r603261_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
@@ -625,34 +610,34 @@
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
-Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | Identifiers: - CCE-80351-0 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010340, SV-204429r603261_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||||||||
| Identifiers and References | Identifiers: CCE-27157-7 References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -315,32 +315,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
dconf update.Identifiers: CCE-80120-9
References: - 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
- if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${SETTINGSFILES[@]}"
- else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-if [[ -z "${LOCKFILES}" ]]
-then
- echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
+ 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -632,23 +587,7 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-Rule - Require Encryption for Remote Access in GNOME3 - [ref] | |||||||
By default, GNOME requires encryption when using Vino for remote access.
-To prevent remote access encryption from being disabled, add or set
-require-encryption to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
-[org/gnome/Vino] -require-encryption=true --Once the settings have been added, add a lock to - /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/Vino/require-encryption-After the settings have been set, run dconf update. | |||||||
| Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
-remotely. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | ||||||
| Identifiers and References | Identifiers: - CCE-80121-7 References: - 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | ||||||
Remediation Shell script ⇲ | |||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | Identifiers: CCE-27157-7 References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -333,32 +333,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -491,15 +477,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -526,20 +526,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -634,24 +634,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000 @@ -133,17 +133,7 @@ standards approved by the federal government since this provides assurance they have been tested and validated. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | ||||||
| Identifiers and References | Identifiers: CCE-80358-5 References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Enable FIPS Mode in GRUB2 [ref] | |||||||||
To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -206,72 +206,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||||
| Severity: | high | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | ||||||||
| Identifiers and References | Identifiers: CCE-80359-3 References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-26989-4
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
@@ -133,15 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-27157-7
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -281,6 +273,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -306,32 +306,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -464,15 +450,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -499,20 +499,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-27220-3 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -607,24 +607,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 2022-06-27 00:00:00.000000000 +0000 @@ -135,15 +135,7 @@ information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | Identifiers: CCE-27157-7 References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -303,28 +303,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | Identifiers: CCE-80545-7 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -435,32 +435,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -593,15 +579,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 2022-06-27 00:00:00.000000000 +0000
@@ -158,15 +158,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-27157-7
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -306,6 +298,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -326,28 +326,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | Identifiers: CCE-80545-7 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -458,32 +458,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Identifiers: CCE-80359-3
References: - 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-# prelink not installed
-if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
- if grep -q ^PRELINKING /etc/sysconfig/prelink
- then
- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
- else
- printf '\n' >> /etc/sysconfig/prelink
- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
- fi
-
- # Undo previous prelink changes to binaries if prelink is available.
- if test -x /usr/sbin/prelink; then
- /usr/sbin/prelink -ua
- fi
-fi
-
-if grep -q -m1 -o aes /proc/cpuinfo; then
- if ! rpm -q --quiet "dracut-fips-aesni" ; then
- yum install -y "dracut-fips-aesni"
-fi
-fi
-if ! rpm -q --quiet "dracut-fips" ; then
- yum install -y "dracut-fips"
-fi
-
-dracut -f
-
-# Correct the form of default kernel command line in grub
-if grep -q '^GRUB_CMDLINE_LINUX=.*fips=.*"' /etc/default/grub; then
- # modify the GRUB command-line if a fips= arg already exists
- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)fips=[^[:space:]]*\(.*"\)/\1 fips=1 \2/' /etc/default/grub
-else
- # no existing fips=arg is present, append it
- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 fips=1"/' /etc/default/grub
-fi
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 2022-06-27 00:00:00.000000000 +0000
@@ -113,21 +113,7 @@
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -144,15 +130,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.Identifiers: CCE-82053-0
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, 1.1.2, SV-204496r603261_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -201,12 +201,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-82014-2 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021320, 1.1.10, SV-204494r603261_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log Located On Separate Partition [ref] | |||||||||||||
System logs are stored in the /var/log directory.
@@ -216,12 +216,12 @@
enables better separation between log files
and other files in /var/. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||||||||||||
| Identifiers and References | Identifiers: CCE-82034-0 References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -235,12 +235,12 @@
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | Identifiers: CCE-82035-7 References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021330, 1.1.16, SV-204495r603261_rule | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Identifiers: CCE-26989-4
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
-else
- # \n is precaution for case where file ends without trailing newline
- cce="CCE-26989-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
- printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
+ BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -362,6 +330,38 @@
- low_complexity
- medium_disruption
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/yum.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
+ "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+ cce="CCE-26989-4"
+ printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
+ printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Ensure gpgcheck Enabled for All yum Package Repositories /usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 2022-06-27 00:00:00.000000000 +0000 @@ -135,15 +135,7 @@ information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. | |||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | Identifiers: CCE-27157-7 References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -308,32 +308,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
/var/.Identifiers: CCE-82034-0
References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15
+ BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /var/log
+
[[customizations.filesystem]]
mountpoint = "/var/log"
size = 5368709120
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /var/log
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -474,12 +474,12 @@
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | Identifiers: CCE-82035-7 References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-07-021330, 1.1.16, SV-204495r603261_rule | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Identifiers: CCE-26989-4
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
-else
- # \n is precaution for case where file ends without trailing newline
- cce="CCE-26989-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
- printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
+ BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -601,6 +569,38 @@
- low_complexity
- medium_disruption
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/yum.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
+ "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
+else
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 2022-06-27 00:00:00.000000000 +0000
@@ -144,15 +144,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-27157-7
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -292,6 +284,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -312,28 +312,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | Identifiers: CCE-80545-7 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -444,32 +444,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -602,15 +588,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 2022-06-27 00:00:00.000000000 +0000
@@ -150,15 +150,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-27157-7
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -298,6 +290,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -318,28 +318,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | Identifiers: CCE-80545-7 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -450,32 +450,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-27209-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-27096-7
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -608,15 +594,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 2022-06-27 00:00:00.000000000 +0000
@@ -116,21 +116,7 @@
$ sudo yum install aide
Identifiers: CCE-80844-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -147,15 +133,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -182,20 +182,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-80675-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
/boot partition contains the kernel and bootloader files.
Access to this partition should be restricted.Identifiers: CCE-83336-8
References: - BP28(R12)
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /boot
+
[[customizations.filesystem]]
mountpoint = "/boot"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /boot
Rule Ensure /home Located On Separate Partition [ref] | |||||||||||||
If user home directories will be stored locally, create a separate partition
@@ -316,12 +316,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | ||||||||||||
| Identifiers and References | Identifiers: CCE-81044-0 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.13, SV-230328r627750_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /opt Located On Separate Partition [ref] | |||||||||||||
It is recommended that the /opt directory resides on a separate
@@ -330,12 +330,12 @@
makes it easier to apply restrictions e.g. through the nosuid mount
option. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | ||||||||||||
| Identifiers and References | Identifiers: CCE-83340-0 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -347,12 +347,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | Identifiers: CCE-83387-1 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -361,12 +361,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-80851-9 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2, SV-230295r627750_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /usr Located On Separate Partition [ref] | |||||||||||||
It is recommended that the /usr directory resides on a separate
@@ -374,12 +374,12 @@
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | ||||||||||||
| Identifiers and References | Identifiers: CCE-83343-4 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /var directory is used by daemons and other system
@@ -390,12 +390,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||||||||||||||||||||||||||
| Severity: | low | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80852-7 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010540, 1.1.6, SV-230292r627750_rule | ||||||||||||||||||||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80844-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -182,20 +182,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-80675-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,24 +290,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-80676-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Notification of Post-AIDE Scan Details [ref] | |||||||||||||||||||||||||||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -428,40 +428,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-82891-3 References: - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r627750_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80844-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -182,20 +182,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-80675-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
/boot partition contains the kernel and bootloader files.
Access to this partition should be restricted.Identifiers: CCE-83336-8
References: - BP28(R12)
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /boot
+
[[customizations.filesystem]]
mountpoint = "/boot"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /boot
Rule Ensure /home Located On Separate Partition [ref] | |||||||||||||
If user home directories will be stored locally, create a separate partition
@@ -316,12 +316,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | ||||||||||||
| Identifiers and References | Identifiers: CCE-81044-0 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.13, SV-230328r627750_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /opt Located On Separate Partition [ref] | |||||||||||||
It is recommended that the /opt directory resides on a separate
@@ -330,12 +330,12 @@
makes it easier to apply restrictions e.g. through the nosuid mount
option. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_opt | ||||||||||||
| Identifiers and References | Identifiers: CCE-83340-0 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -347,12 +347,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | Identifiers: CCE-83387-1 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -361,12 +361,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-80851-9 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2, SV-230295r627750_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /usr Located On Separate Partition [ref] | |||||||||||||
It is recommended that the /usr directory resides on a separate
@@ -374,12 +374,12 @@
Putting it on a separate partition allows limiting its size and applying
restrictions through mount options. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_usr | ||||||||||||
| Identifiers and References | Identifiers: CCE-83343-4 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -390,12 +390,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-80852-7 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010540, 1.1.6, SV-230292r627750_rule | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | Identifiers: CCE-82202-3 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010381, SV-230272r627750_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -169,22 +169,7 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | Identifiers: CCE-82197-5 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010380, SV-230271r627750_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.Identifiers: CCE-82985-3
References: - BP28(R8), SRG-OS-000191-GPOS-00080
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "dnf-automatic" ; then
- yum install -y "dnf-automatic"
-fi
-
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
+ BP28(R8), SRG-OS-000191-GPOS-00080| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -260,15 +252,23 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
class install_dnf-automatic {
package { 'dnf-automatic':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=dnf-automatic
+
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+if ! rpm -q --quiet "dnf-automatic" ; then
+ yum install -y "dnf-automatic"
+fi
Rule Configure dnf-automatic to Install Available Updates Automatically [ref] | |||||||||
To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | |||||||||
| Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,7 +279,25 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | ||||||||
| Identifiers and References | Identifiers: CCE-82494-6 References: - BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | ||||||||
Remediation Ansible snippet ⇲
| |||||||||
Rule + Configure dnf-automatic to Install Only Security Updates + [ref] | |||||||||||||||||||||||||||||||||||||
To configure dnf-automatic to install only security updates
+automatically, set upgrade_type to security under
+[commands] section in /etc/dnf/automatic.conf. | |||||||||||||||||||||||||||||||||||||
| Rationale: | By default, dnf-automatic installs all available updates.
+Reducing the amount of updated packages only to updates that were
+issued as a part of a security advisory increases the system stability. | ||||||||||||||||||||||||||||||||||||
| Severity: | low | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: + CCE-82267-6 References: + BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | ||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80844-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -178,24 +178,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-80676-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-80935-0
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='FUTURE'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FUTURE
tags:
@@ -404,6 +386,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FUTURE'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -414,11 +414,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-80939-2 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.20, SV-244526r809334_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-81044-0
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.13, SV-230328r627750_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /tmp directory is a world-writable directory used
@@ -485,12 +485,12 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
@@ -115,21 +115,7 @@
$ sudo yum install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80844-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -178,24 +178,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-80676-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-80935-0
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -404,6 +386,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -414,11 +414,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-80939-2 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.20, SV-244526r809334_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.Identifiers: CCE-80851-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2, SV-230295r627750_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
$ sudo yum install aide
Identifiers: CCE-80844-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,15 +132,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -178,24 +178,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-80676-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-80935-0
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -404,6 +386,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -414,11 +414,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-80939-2 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.20, SV-244526r809334_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.Identifiers: CCE-80851-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2, SV-230295r627750_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
$ sudo yum install aide
Identifiers: CCE-80844-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,15 +132,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -178,24 +178,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-80676-0 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-80935-0
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='FUTURE'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FUTURE
tags:
@@ -404,6 +386,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FUTURE'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -414,11 +414,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-80939-2 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.20, SV-244526r809334_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-81044-0
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.13, SV-230328r627750_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||
The /tmp directory is a world-writable directory used
@@ -485,12 +485,12 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 2022-06-27 00:00:00.000000000 +0000
@@ -137,15 +137,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | |||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | Identifiers: CCE-80857-6 References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -305,32 +305,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-80858-4 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-80844-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -460,15 +446,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -495,20 +495,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-80675-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||||||||||||||||||||||||||||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -603,24 +603,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 2022-06-27 00:00:00.000000000 +0000 @@ -126,21 +126,7 @@ $ sudo yum install aide | ||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80844-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Identifiers: CCE-82155-3
References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-fips-mode-setup --enable
-FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
- echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
+ CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
changed_when: false
@@ -278,6 +266,18 @@
- medium_disruption
- reboot_required
- restrict_strategy
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+fips-mode-setup --enable
+FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
+if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
+ echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Enable FIPS Mode [ref] | |||||||||
To enable FIPS mode, run the following command:
@@ -295,33 +295,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||||
| Severity: | high | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | ||||||||
| Identifiers and References | Identifiers: CCE-80942-6 References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-82723-8
References: - FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
-[[packages]]
-name = "crypto-policies"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
+ FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -457,15 +449,23 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
class install_crypto-policies {
package { 'crypto-policies':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=crypto-policies
+
+[[packages]]
+name = "crypto-policies"
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2022-06-27 00:00:00.000000000 +0000
@@ -139,15 +139,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-80857-6
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -282,6 +274,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -302,28 +302,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | Identifiers: CCE-82196-7 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -431,32 +431,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-80858-4 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Identifiers: CCE-80935-0
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='DEFAULT:NO-SHA1'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT:NO-SHA1
tags:
@@ -649,6 +631,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT:NO-SHA1'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 2022-06-27 00:00:00.000000000 +0000
@@ -142,15 +142,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-80857-6
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -285,6 +277,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -310,32 +310,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-80858-4 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Identifiers: CCE-80935-0
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -528,6 +510,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -538,11 +538,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-80939-2 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.20, SV-244526r809334_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
dconf update.Identifiers: CCE-80772-7
References: - 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
- if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2022-06-27 00:00:00.000000000 +0000
@@ -143,15 +143,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-80857-6
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -286,6 +278,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -306,28 +306,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | Identifiers: CCE-82196-7 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -435,32 +435,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-80858-4 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-80844-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -590,15 +576,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000
@@ -117,21 +117,7 @@
$ sudo yum install aide
Identifiers: CCE-80844-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -148,15 +134,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Identifiers: CCE-82155-3
References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-fips-mode-setup --enable
-FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
- echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
+ CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
changed_when: false
@@ -269,6 +257,18 @@
- medium_disruption
- reboot_required
- restrict_strategy
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+fips-mode-setup --enable
+FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
+if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
+ echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Enable FIPS Mode [ref] | |||||||||
To enable FIPS mode, run the following command:
@@ -286,33 +286,7 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | |||||||||
| Severity: | high | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | ||||||||
| Identifiers and References | Identifiers: CCE-80942-6 References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-82723-8
References: - FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
-
-[[packages]]
-name = "crypto-policies"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
+ FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure crypto-policies is installed
package:
name: crypto-policies
state: present
@@ -448,15 +440,23 @@
- medium_severity
- no_reboot_needed
- package_crypto-policies_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_crypto-policies
class install_crypto-policies {
package { 'crypto-policies':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=crypto-policies
+
+[[packages]]
+name = "crypto-policies"
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
@@ -133,15 +133,7 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.Identifiers: CCE-80857-6
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -276,6 +268,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -301,32 +301,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-80858-4 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo yum install aide
Identifiers: CCE-80844-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -456,15 +442,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -491,20 +491,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-80675-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||||||||||||||||||||||||||||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -599,24 +599,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 2022-06-27 00:00:00.000000000 +0000 @@ -113,21 +113,7 @@ $ sudo yum install aide | ||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80844-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Identifiers: CCE-80935-0
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -260,6 +242,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -270,11 +270,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-80939-2 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.20, SV-244526r809334_rule | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.Identifiers: CCE-80851-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2, SV-230295r627750_rule
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -341,12 +341,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-80852-7 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010540, 1.1.6, SV-230292r627750_rule | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log Located On Separate Partition [ref] | |||||||||||||
System logs are stored in the /var/log directory.
@@ -356,12 +356,12 @@
enables better separation between log files
and other files in /var/. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||||||||||||
| Identifiers and References | Identifiers: CCE-80853-5 References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, 1.1.11, SV-230293r627750_rule | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -375,12 +375,12 @@
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | Identifiers: CCE-80854-3 References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010542, 1.1.12, SV-230294r627750_rule | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 2022-06-27 00:00:00.000000000 +0000 @@ -135,15 +135,7 @@ information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
Identifiers: CCE-80857-6
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -278,6 +270,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -303,32 +303,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-80858-4 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Identifiers: CCE-80935-0
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -547,6 +529,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -557,10 +557,7 @@
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-80936-8 References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r792855_rule | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
Rule Configure Libreswan to use System Crypto Policy [ref] | |||||||||||||||||||||||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -591,17 +591,7 @@
service violate expectations, and makes system configuration more
fragmented. | |||||||||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80937-6 References: - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, RHEL-08-010020, SV-230223r792855_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80844-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,78 +183,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||
| Identifiers and References | Identifiers: CCE-85964-5 References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r627750_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Configure Notification of Post-AIDE Scan Details - [ref] | |||||||||||||||||||||||||||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
-If AIDE has already been configured for periodic execution in /etc/crontab, append the
-following line to the existing AIDE line:
-| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost-Otherwise, add the following line to /etc/crontab:
-05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost-AIDE can be executed periodically through other means; this is merely one example. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Unauthorized changes to the baseline configuration could make the system vulnerable
-to various attacks or allow unauthorized access to the operating system. Changes to
-operating system configurations can have unintended side effects, some of which may
-be relevant to security.
- -Detecting such changes and providing an automated response can help avoid unintended, -negative consequences that could ultimately affect the security state of the operating -system. The operating system's Information Management Officer (IMO)/Information System -Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or -monitoring system trap when there is an unauthorized modification of a configuration item. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: - CCE-82891-3 References: - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r627750_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80844-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.4.1, SV-251710r809354_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,78 +189,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||
| Identifiers and References | Identifiers: CCE-85964-5 References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r627750_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Configure Notification of Post-AIDE Scan Details - [ref] | |||||||||||||||||||||||||||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
-If AIDE has already been configured for periodic execution in /etc/crontab, append the
-following line to the existing AIDE line:
-| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost-Otherwise, add the following line to /etc/crontab:
-05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost-AIDE can be executed periodically through other means; this is merely one example. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Unauthorized changes to the baseline configuration could make the system vulnerable
-to various attacks or allow unauthorized access to the operating system. Changes to
-operating system configurations can have unintended side effects, some of which may
-be relevant to security.
- -Detecting such changes and providing an automated response can help avoid unintended, -negative consequences that could ultimately affect the security state of the operating -system. The operating system's Information Management Officer (IMO)/Information System -Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or -monitoring system trap when there is an unauthorized modification of a configuration item. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: - CCE-82891-3 References: - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r627750_rule | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-90843-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -181,20 +181,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-83438-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-83468-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -317,12 +317,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | Identifiers: CCE-90846-7 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -331,12 +331,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-90845-9 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -347,12 +347,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-83466-3 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log Located On Separate Partition [ref] | |||||||||||||
System logs are stored in the /var/log directory.
@@ -362,12 +362,12 @@
enables better separation between log files
and other files in /var/. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||||||||||||
| Identifiers and References | Identifiers: CCE-90848-3 References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -381,12 +381,12 @@
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | Identifiers: CCE-90847-5 References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/tmp Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /var/tmp directory is a world-writable directory used
@@ -395,12 +395,12 @@
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_tmp | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-83487-9 References: - BP28(R12), SRG-OS-000480-GPOS-00227 | ||||||||||||||||||||||||||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-90843-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -181,20 +181,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-83438-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,24 +289,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-83437-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Notification of Post-AIDE Scan Details [ref] | |||||||||||||
AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -582,12 +582,12 @@
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_home | ||||||||||||
| Identifiers and References | Identifiers: CCE-83468-9 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -599,12 +599,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | Identifiers: CCE-90846-7 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -613,12 +613,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-90845-9 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /var directory is used by daemons and other system
@@ -629,12 +629,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||||||||||||||||||||||||||
| Severity: | low | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: /usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 2022-06-27 00:00:00.000000000 +0000 +++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 2022-06-27 00:00:00.000000000 +0000 @@ -116,21 +116,7 @@ $ sudo dnf install aide | ||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-90843-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -181,20 +181,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-83438-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-83468-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /srv Located On Separate Partition [ref] | |||||||||||||
If a file server (FTP, TFTP...) is hosted locally, create a separate partition
@@ -317,12 +317,12 @@
more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. | |||||||||||||
| Severity: | unknown | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_srv | ||||||||||||
| Identifiers and References | Identifiers: CCE-90846-7 References: - BP28(R12) | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||
The /tmp directory is a world-writable directory used
@@ -331,12 +331,12 @@
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-90845-9 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var Located On Separate Partition [ref] | |||||||||||||
The /var directory is used by daemons and other system
@@ -347,12 +347,12 @@
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var | ||||||||||||
| Identifiers and References | Identifiers: CCE-83466-3 References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | ||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log Located On Separate Partition [ref] | |||||||||||||
System logs are stored in the /var/log directory.
@@ -362,12 +362,12 @@
enables better separation between log files
and other files in /var/. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||||||||||||
| Identifiers and References | Identifiers: CCE-90848-3 References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -381,12 +381,12 @@
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | Identifiers: CCE-90847-5 References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
Rule Ensure /var/tmp Located On Separate Partition [ref] | |||||||||||||
The /var/tmp directory is a world-writable directory used
@@ -395,12 +395,12 @@
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_tmp | ||||||||||||
| Identifiers and References | Identifiers: CCE-83487-9 References: - BP28(R12), SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||
| Identifiers and References | Identifiers: CCE-83544-7 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD - [ref] | |||||||||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | |||||||||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
- -When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate. | ||||||||||||||||||
| Severity: | medium | ||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||||||
| Identifiers and References | Identifiers: - CCE-83536-3 References: - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||
Rule + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + [ref] | |||||||||||||
The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | |||||||||||||
| Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+ +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||
| Identifiers and References | Identifiers: + CCE-83536-3 References: + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | ||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.Identifiers: CCE-83454-9
References: - BP28(R8), SRG-OS-000191-GPOS-00080
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
-if ! rpm -q --quiet "dnf-automatic" ; then
- dnf install -y "dnf-automatic"
-fi
-
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
+ BP28(R8), SRG-OS-000191-GPOS-00080| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure dnf-automatic is installed
package:
name: dnf-automatic
state: present
@@ -254,15 +246,23 @@
- medium_severity
- no_reboot_needed
- package_dnf-automatic_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_dnf-automatic
class install_dnf-automatic {
package { 'dnf-automatic':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=dnf-automatic
+
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+if ! rpm -q --quiet "dnf-automatic" ; then
+ dnf install -y "dnf-automatic"
+fi
Rule Configure dnf-automatic to Install Available Updates Automatically [ref] | |||||||
To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | |||||||
| Rationale: | Installing software updates is a fundamental mitigation against
@@ -357,39 +357,7 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | ||||||
| Identifiers and References | Identifiers: CCE-83457-2 References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule - Ensure gpgcheck Enabled for Local Packages - [ref] | |||||||||||||||||||||||||||||||||||||
dnf should be configured to verify the signature(s) of local packages
-prior to installation. To configure dnf to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
- -Accordingly, patches, service packs, device drivers, or operating system components must -be signed with a certificate recognized and approved by the organization. | ||||||||||||||||||||||||||||||||||||
| Severity: | high | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: - CCE-83463-0 References: - BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲ | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-90843-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -174,24 +174,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-83437-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-83450-7
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FUTURE'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FUTURE
tags:
@@ -398,6 +380,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FUTURE'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -408,11 +408,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-83445-7 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-83468-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /tmp directory is a world-writable directory used
@@ -478,12 +478,12 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 2022-06-27 00:00:00.000000000 +0000
@@ -112,21 +112,7 @@
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-90843-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -174,24 +174,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-83437-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-83450-7
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -398,6 +380,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -408,11 +408,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-83445-7 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.Identifiers: CCE-90845-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
$ sudo dnf install aide
Identifiers: CCE-90843-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -142,15 +128,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -174,24 +174,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-83437-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-83450-7
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT
tags:
@@ -398,6 +380,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -408,11 +408,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-83445-7 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.Identifiers: CCE-90845-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /tmp
$ sudo dnf install aide
Identifiers: CCE-90843-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -142,15 +128,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -174,24 +174,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||
| Identifiers and References | Identifiers: CCE-83437-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Identifiers: CCE-83450-7
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FUTURE'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FUTURE
tags:
@@ -398,6 +380,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FUTURE'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -408,11 +408,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-83445-7 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-83468-9
References: - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227
| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /home
Rule Ensure /tmp Located On Separate Partition [ref] | |||||||||||||||||||||||||||||||||||||
The /tmp directory is a world-writable directory used
@@ -478,12 +478,12 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 2022-06-27 00:00:00.000000000 +0000
@@ -126,21 +126,7 @@
$ sudo dnf install aide | |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-90843-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Identifiers: CCE-86547-7
References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-fips-mode-setup --enable
-FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
- echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
+ CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
changed_when: false
@@ -274,6 +262,18 @@
- medium_disruption
- reboot_required
- restrict_strategy
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+fips-mode-setup --enable
+FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
+if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
+ echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Enable FIPS Mode [ref] | |||||||||||||||||||||||||||||||||||||
To enable FIPS mode, run the following command:
@@ -340,15 +340,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-83442-4 References: - FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure BIND to use System Crypto Policy [ref] | |||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -422,25 +422,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | |||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | ||||||
| Identifiers and References | Identifiers: CCE-83450-7 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -495,10 +495,7 @@
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-83449-9 References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-90842-6 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -296,32 +296,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-90840-0 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Identifiers: CCE-83450-7
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='DEFAULT:NO-SHA1'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str DEFAULT:NO-SHA1
tags:
@@ -512,6 +494,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='DEFAULT:NO-SHA1'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -522,11 +522,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-83445-7 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
Identifiers: CCE-90840-0
References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108
| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: Read list of files with incorrect permissions
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: Read list of files with incorrect permissions
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nouser --nogroup
args:
@@ -286,6 +261,31 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_permissions
+| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+ # NOTE: some files maybe controlled by more then one package
+ readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+ for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+ do
+ # Use an associative array to store packages as it's keys, not having to care about duplicates.
+ SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+ done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+ rpm --restore "${RPM_PACKAGE}"
+done
Identifiers: CCE-83450-7
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS
tags:
@@ -391,6 +373,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FIPS'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
Rule Configure SSH to use System Crypto Policy [ref] | |||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -401,11 +401,7 @@
in the /etc/sysconfig/sshd. | |||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | ||||||||
| Severity: | medium | ||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | ||||||||
| Identifiers and References | Identifiers: CCE-83445-7 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 | ||||||||
Remediation Shell script ⇲
| |||||||||
Remediation Ansible snippet ⇲
| |||||||||
dconf update.Identifiers: CCE-87524-5
References: - 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
-then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
- if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${SETTINGSFILES[@]}"
- else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-if [[ -z "${LOCKFILES}" ]]
-then
- echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
+ 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)| Complexity: | low |
|---|---|
| Disruption: | medium |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -626,23 +581,7 @@
- medium_severity
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 2022-06-27 00:00:00.000000000 +0000
@@ -171,28 +171,7 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.Identifiers: CCE-90842-6
References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108
| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --setugids "${RPM_PACKAGE}"
-done
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: Read list of files with incorrect ownership
+ 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: Read list of files with incorrect ownership
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nomode
args:
@@ -275,6 +254,27 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_ownership
+| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+ RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
+ # Use an associative array to store packages as it's keys, not having to care about duplicates.
+ SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+ rpm --setugids "${RPM_PACKAGE}"
+done
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -300,32 +300,7 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | Identifiers: CCE-90840-0 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
$ sudo dnf install aide
Identifiers: CCE-90843-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -454,15 +440,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Identifiers: CCE-83450-7
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FIPS'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 2022-06-27 00:00:00.000000000 +0000
@@ -116,21 +116,7 @@
$ sudo dnf install aide
Identifiers: CCE-90843-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -146,15 +132,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Identifiers: CCE-86547-7
References: - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-fips-mode-setup --enable
-FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
- echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
+ CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590| Complexity: | medium |
|---|---|
| Disruption: | medium |
| Reboot: | true |
| Strategy: | restrict |
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
changed_when: false
@@ -264,6 +252,18 @@
- medium_disruption
- reboot_required
- restrict_strategy
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+fips-mode-setup --enable
+FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
+if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
+ echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Enable FIPS Mode [ref] | |||||||||||||||||||||||||||||||||||||
To enable FIPS mode, run the following command:
@@ -330,15 +330,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-83442-4 References: - FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure BIND to use System Crypto Policy [ref] | |||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -412,25 +412,7 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | |||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | ||||||
| Identifiers and References | Identifiers: CCE-83450-7 References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Kerberos to use System Crypto Policy [ref] | |||||||||||||||||
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -485,10 +485,7 @@
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | |||||||||||||||||
| Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | ||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-83449-9 References: - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
| Severity: | high | ||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-90840-0 References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||
$ sudo dnf install aide
Identifiers: CCE-90843-4
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- dnf install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -320,15 +306,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ dnf install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -355,20 +355,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | Identifiers: CCE-83438-2 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||||||||||||||||||||||||||||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -463,24 +463,7 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | |||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-83437-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-90843-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||||||||||||||||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||||||||||||||||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,78 +183,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-87757-1 References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
| Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | ||||||||||||||||||||||||||||||||||||
| Severity: | medium | ||||||||||||||||||||||||||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-90843-4 References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | ||||||||||||||||||||||||||||||||||||
Remediation Shell script ⇲
| |||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||||||||||||||||||||||||||
Rule Configure AIDE to Verify the Audit Tools [ref] | |||||||||||||
The operating system file integrity tool must be configured to protect the integrity of the audit tools. | |||||||||||||
| Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,78 +189,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | ||||||||||||
| Severity: | medium | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | ||||||||||||
| Identifiers and References | Identifiers: CCE-87757-1 References: - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -294,32 +294,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -443,15 +429,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -477,20 +477,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -580,24 +580,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 2022-06-27 00:00:00.000000000 +0000
@@ -133,15 +133,7 @@
$ sudo rpm -Uvh PACKAGENAME | |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -290,28 +290,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -415,32 +415,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -564,15 +550,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 2022-06-27 00:00:00.000000000 +0000
@@ -157,15 +157,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -295,6 +287,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct Ownership with RPM [ref] | |||||||||||||
The RPM package management system can check file ownership
@@ -314,28 +314,7 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -439,32 +439,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
References: - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
-var_system_crypto_policy='FIPS:OSPP'
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
+ 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | restrict |
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str FIPS:OSPP
tags:
@@ -729,6 +711,24 @@
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+var_system_crypto_policy='FIPS:OSPP'
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 2022-06-27 00:00:00.000000000 +0000
@@ -141,15 +141,7 @@
$ sudo rpm -Uvh PACKAGENAME
References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
+ 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule| Complexity: | high |
|---|---|
| Disruption: | medium |
| Strategy: | restrict |
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
when: ansible_distribution == "Fedora"
@@ -284,6 +276,14 @@
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+yum reinstall -y $packages_to_reinstall
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -308,32 +308,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
aide package can be installed with the following command:
$ sudo yum install aide
References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r809229_rule
| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
-[[packages]]
-name = "aide"
-version = "*"
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
+ BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r809229_rule| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
- name: Ensure aide is installed
package:
name: aide
state: present
@@ -461,15 +447,29 @@
- medium_severity
- no_reboot_needed
- package_aide_installed
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
include install_aide
class install_aide {
package { 'aide':
ensure => 'installed',
}
}
-| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
package --add=aide
+
+[[packages]]
+name = "aide"
+version = "*"
+| Complexity: | low |
|---|---|
| Disruption: | low |
| Strategy: | enable |
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
Rule Build and Test AIDE Database [ref] | |||||||
Run the following command to generate a new database:
@@ -495,20 +495,7 @@
If this check produces any unexpected output, investigate. | |||||||
| Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | ||||||
| Severity: | medium | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | ||||||
| Identifiers and References | References: - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Configure Periodic Execution of AIDE [ref] | |||||||
At a minimum, AIDE should be configured to run a weekly scan.
@@ -598,24 +598,7 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 2022-06-27 00:00:00.000000000 +0000
@@ -143,15 +143,7 @@
$ sudo rpm -Uvh PACKAGENAME | |||||||
| Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | ||||||
| Severity: | high | ||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | ||||||
| Identifiers and References | References: - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | ||||||
Remediation Shell script ⇲
| |||||||
Remediation Ansible snippet ⇲
| |||||||
Rule Verify and Correct File Permissions with RPM [ref] | |||||||||||||
The RPM package management system can check file access permissions
@@ -310,32 +310,7 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | |||||||||||||
| Severity: | high | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | ||||||||||||
| Identifiers and References | References: - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | ||||||||||||
Remediation Shell script ⇲
| |||||||||||||
Remediation Ansible snippet ⇲
| |||||||||||||
/var/log in its own partition
enables better separation between log files
and other files in /var/.References: - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15
+ BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, 1.1.15| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
+part /var/log
+
[[customizations.filesystem]]
mountpoint = "/var/log"
size = 5368709120
-| Complexity: | low |
|---|---|
| Disruption: | high |
| Strategy: | enable |
-part /var/log
Rule Ensure /var/log/audit Located On Separate Partition [ref] | |||||||||||||
Audit logs are stored in the /var/log/audit directory.
@@ -471,12 +471,12 @@
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. | |||||||||||||
| Severity: | low | ||||||||||||
| Rule ID: | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||||||||
| Identifiers and References | References: - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, 1.1.16, SV-204495r603261_rule | ||||||||||||
Remediation OSBuild Blueprint snippet ⇲ | |||||||||||||
Remediation Anaconda snippet ⇲
| |||||||||||||
References: - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r603261_rule
# Remediation is applicable only in certain platforms
-if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
-
-# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "1"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
-else
- # \n is precaution for case where file ends without trailing newline
- cce=""
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
- printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
+ BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r603261_rule| Complexity: | low |
|---|---|
| Disruption: | medium |
| Strategy: | configure |
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -595,6 +563,38 @@
- low_complexity
- medium_disruption
- no_reboot_needed
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q yum; then
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/yum.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^gpgcheck")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
+ "${sed_command[@]}" "s/^gpgcheck\\>.*/$formatted_output/gi" "/etc/yum.conf"
+else
/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,36 +43,61 @@
BP28(R1)
- Uninstall talk Package
+ Uninstall DHCP Server Package
-The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
+If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp package can be removed with the following command:
-$ sudo yum erase talk
+$ sudo yum erase dhcp
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
BP28(R1)
- Uninstall tftp-server Package
+ Remove telnet Clients
-The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
-Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
+The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 7.
+
+
+
+ BP28(R1)
+ Uninstall rsh-server Package
+
+The rsh-server package can be removed with the following command:
+
+$ sudo yum erase rsh-server
+
+
+The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
+could be compromised. The rsh-server package provides several obsolete and insecure
+network services. Removing it decreases the risk of those services' accidental (or intentional)
+activation.
+
+
+
+ BP28(R1)
NT007(R03)
+ Uninstall the telnet server
+
+The telnet daemon should be uninstalled.
+
+
+telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
@@ -94,30 +119,18 @@
BP28(R1)
- Uninstall DHCP Server Package
+ Uninstall Sendmail Package
-If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp package can be removed with the following command:
+Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase dhcp
-
-
-Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
-
-
-
- BP28(R1)
NT007(R03)
- Uninstall the telnet server
-
-The telnet daemon should be uninstalled.
+$ sudo yum erase sendmail
-telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
@@ -146,32 +159,37 @@
BP28(R1)
- Uninstall rsh-server Package
+ Remove NIS Client
-The rsh-server package can be removed with the following command:
-
-$ sudo yum erase rsh-server
+The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
-The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
BP28(R1)
- Uninstall xinetd Package
+ Uninstall talk Package
-The xinetd package can be removed with the following command:
+The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
-$ sudo yum erase xinetd
+$ sudo yum erase talk
-Removing the xinetd package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
@@ -196,19 +214,18 @@
BP28(R1)
- Remove NIS Client
+ Uninstall tftp-server Package
-The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
-The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,78 +43,36 @@
3.1.1
3.1.5
- Disable SSH Root Login
-
-The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
-
-
-Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
-
-
-
- 3.1.1
- Disable GDM Automatic Login
-
-The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the AutomaticLoginEnable to false in the
-[daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-AutomaticLoginEnable=false
-
-
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
-
-
-
- 3.1.1
- Disable GDM Guest Login
+ Restrict Virtual Console Root Logins
-The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
- 3.1.1
3.1.5
- Verify Only Root Has UID 0
+ 3.1.1
3.4.5
+ Require Authentication for Emergency Systemd Target
-If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
-An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
@@ -144,37 +102,20 @@
- 3.1.1
3.1.5
- Restrict Virtual Console Root Logins
-
-To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
-
-
-Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.
-
-
-
- 3.1.1
3.4.5
- Require Authentication for Emergency Systemd Target
+ 3.1.1
+ Disable GDM Automatic Login
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the AutomaticLoginEnable to false in the
+[daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+AutomaticLoginEnable=false
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+Failure to restrict system access to authenticated users negatively impacts operating
+system security.
@@ -204,17 +145,23 @@
3.1.1
3.1.5
- Restrict Serial Port Root Logins
+ Disable SSH Root Login
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
+The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
+Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
@@ -237,6 +184,59 @@
3.1.1
3.1.5
+ Verify Only Root Has UID 0
+
+If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+
+
+An account has root authority if it has a UID of 0. Multiple accounts
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -42,76 +42,36 @@
Rationale
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Events that Modify the System's Discretionary Access Controls - lchown
-
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
-
-
-
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+ IA-2
AC-3
CM-6(a)
+ Require Authentication for Emergency Systemd Target
-The audit system should collect detailed unauthorized file accesses for
-all users and root. The open syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via open syscall are collected.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - at
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
Misuse of privileged functions, either intentionally or unintentionally by
@@ -128,18 +88,113 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - umount
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+
+
+The place to add the lines depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the lines to file /etc/audit/audit.rules.
+
+
+The addition/removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
+to have an audit trail of modules that have been introduced into the kernel.
+
+
+
+ IA-2
CM-6(a)
+ Direct root Logins Not Allowed
+
+To further limit access to the root account, administrators
+can disable root logins at the console by editing the /etc/securetty file.
+This file lists all devices the root user is allowed to login to. If the file does
+not exist at all, the root user can login through any communication device on the
+system, whether via the console or via a raw network interface. This is dangerous
+as user can login to the system as root via Telnet, which sends the password in
+plain text over the network. By default, Oracle Linux 7's
+/etc/securetty file only allows the root user to login at the console
+physically attached to the system. To prevent root from logging in, remove the
+contents of this file. To prevent direct root logins, remove the contents of this
+file by typing the following command:
+
+$ sudo echo > /etc/securetty
+
+
+
+Disabling direct root logins ensures proper accountability and multifactor
+authentication to privileged accounts. Users will first login, then escalate
+to privileged (root) access via su / sudo. This is required for FISMA Low
+and FISMA Moderate systems.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - unlinkat
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
+
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - rmdir
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
+
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+
+
+
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
+ Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,23 +43,24 @@
FAU_GEN.1
- Enable Auditing for Processes Which Start Prior to the Audit Daemon
+ Enable auditd Service
-To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
-Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
@@ -88,24 +89,23 @@
FAU_GEN.1
- Enable auditd Service
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
-The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
-Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
@@ -123,75 +123,126 @@
FAU_GEN.1.1.c
- Record Events that Modify the System's Discretionary Access Controls - lchown
+ Configure auditd to use audispd's syslog plugin
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+To configure the auditd service to use the
+syslog plug-in of the audispd audit event multiplexor, set
+the active line in /etc/audisp/plugins.d/syslog.conf to yes.
+Restart the auditd service:
+$ sudo service auditd restart
+
+
+The auditd service does not include the ability to send audit
+records to a centralized server for management directly. It does, however,
+include a plug-in for audit event multiplexor (audispd) to pass audit records
+to the local syslog server
+
+
+
+ FAU_GEN.1.1.c
+ Encrypt Audit Records Sent With audispd Plugin
+
+Configure the operating system to encrypt the transfer of off-loaded audit
+records onto a different system or media from the system being audited.
+
+Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf
,
+and set it with the following line:
+enable_krb5 = yes
+
+
+Information stored in one location is vulnerable to accidental or incidental deletion
+or alteration. Off-loading is a common process in information systems with limited
+audit storage capacity.
+
+
+
+ FAU_GEN.1.1.c
+ Ensure auditd Collects File Deletion Events by User - unlinkat
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
FAU_GEN.1.1.c
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+ Ensure auditd Collects File Deletion Events by User - rmdir
-The audit system should collect detailed unauthorized file accesses for
-all users and root. The open syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via open syscall are collected.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -59,6 +59,23 @@
Req-6.2
+ Ensure gpgcheck Enabled for All yum Package Repositories
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+
+
+
+ Req-6.2
Ensure gpgcheck Enabled In Main yum Configuration
The gpgcheck option controls whether
@@ -87,23 +104,6 @@
Req-6.2
- Ensure gpgcheck Enabled for All yum Package Repositories
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
-
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
-
-
-
- Req-6.2
Ensure Oracle Linux GPG Key Installed
To ensure the system can cryptographically verify base software
@@ -186,33 +186,33 @@
Req-7.1
- Verify /boot/grub2/grub.cfg User Ownership
+ Verify /boot/grub2/grub.cfg Group Ownership
The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
-Only root should be able to modify important boot parameters.
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
Req-7.1
- Verify /boot/grub2/grub.cfg Group Ownership
+ Verify /boot/grub2/grub.cfg User Ownership
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
@@ -318,6 +318,28 @@
Req-8.1.8
+ Enable GNOME3 Screensaver Lock After Idle Period
+
+
+To activate locking of the screensaver in the GNOME3 desktop when it is activated,
+add or set lock-enabled to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+lock-enabled=true
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/desktop/screensaver/lock-enabled
+After the settings have been set, run dconf update.
+
+
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
+of the information system but does not want to logout because of the temporary nature of the absense.
+
+
+
+ Req-8.1.8
Implement Blank Screensaver
@@ -342,18 +364,26 @@
Req-8.1.8
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
+ Set SSH Idle Timeout Interval
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+SSH allows administrators to set an idle timeout interval. After this interval
+has passed, the idle user will be automatically logged out.
+
+To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
+follows:
+ClientAliveInterval 300
+
+The timeout interval is given in seconds. For example, have a timeout
+of 10 minutes, set interval to 600.
+
+If a shorter timeout has already been set for the login shell, that value will
+preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
+some processes may stop SSH from correctly detecting that the user is idle.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+Terminating an idle ssh session within a short time period reduces the window of
+opportunity for unauthorized personnel to take control of a management session
+enabled on the console or console port that has been let unattended.
@@ -396,6 +426,29 @@
Req-8.1.8
+ Set SSH Client Alive Count Max to zero
+
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+
+To ensure the SSH idle timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
+
+
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
+
+
+
+ Req-8.1.8
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
@@ -417,14 +470,13 @@
Req-8.1.8
- Set GNOME3 Screensaver Lock Delay After Activation Period
+ Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
-To activate the locking delay of the screensaver in the GNOME3 desktop when
/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,36 +43,61 @@
BP28(R1)
- Uninstall talk Package
+ Uninstall DHCP Server Package
-The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
+If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp package can be removed with the following command:
-$ sudo yum erase talk
+$ sudo yum erase dhcp
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
BP28(R1)
- Uninstall tftp-server Package
+ Remove telnet Clients
-The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
-Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
+The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 8.
+
+
+
+ BP28(R1)
+ Uninstall rsh-server Package
+
+The rsh-server package can be removed with the following command:
+
+$ sudo yum erase rsh-server
+
+
+The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
+could be compromised. The rsh-server package provides several obsolete and insecure
+network services. Removing it decreases the risk of those services' accidental (or intentional)
+activation.
+
+
+
+ BP28(R1)
NT007(R03)
+ Uninstall the telnet server
+
+The telnet daemon should be uninstalled.
+
+
+telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
@@ -94,30 +119,18 @@
BP28(R1)
- Uninstall DHCP Server Package
+ Uninstall Sendmail Package
-If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp package can be removed with the following command:
+Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase dhcp
-
-
-Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
-
-
-
- BP28(R1)
NT007(R03)
- Uninstall the telnet server
-
-The telnet daemon should be uninstalled.
+$ sudo yum erase sendmail
-telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
@@ -146,32 +159,37 @@
BP28(R1)
- Uninstall rsh-server Package
+ Remove NIS Client
-The rsh-server package can be removed with the following command:
-
-$ sudo yum erase rsh-server
+The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
-The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
BP28(R1)
- Uninstall xinetd Package
+ Uninstall talk Package
-The xinetd package can be removed with the following command:
+The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
-$ sudo yum erase xinetd
+$ sudo yum erase talk
-Removing the xinetd package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
@@ -196,19 +214,18 @@
BP28(R1)
- Remove NIS Client
+ Uninstall tftp-server Package
-The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
-The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,78 +43,36 @@
3.1.1
3.1.5
- Disable SSH Root Login
-
-The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
-
-
-Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
-
-
-
- 3.1.1
- Disable GDM Automatic Login
-
-The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the AutomaticLoginEnable to false in the
-[daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-AutomaticLoginEnable=false
-
-
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
-
-
-
- 3.1.1
- Disable GDM Guest Login
+ Restrict Virtual Console Root Logins
-The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
- 3.1.1
3.1.5
- Verify Only Root Has UID 0
+ 3.1.1
3.4.5
+ Require Authentication for Emergency Systemd Target
-If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
-An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
@@ -144,37 +102,20 @@
- 3.1.1
3.1.5
- Restrict Virtual Console Root Logins
-
-To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
-
-
-Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.
-
-
-
- 3.1.1
3.4.5
- Require Authentication for Emergency Systemd Target
+ 3.1.1
+ Disable GDM Automatic Login
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the AutomaticLoginEnable to false in the
+[daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+AutomaticLoginEnable=false
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+Failure to restrict system access to authenticated users negatively impacts operating
+system security.
@@ -204,17 +145,23 @@
3.1.1
3.1.5
- Restrict Serial Port Root Logins
+ Disable SSH Root Login
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
+The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
+Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
@@ -237,6 +184,59 @@
3.1.1
3.1.5
+ Verify Only Root Has UID 0
+
+If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+
+
+An account has root authority if it has a UID of 0. Multiple accounts
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -42,76 +42,36 @@
Rationale
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Events that Modify the System's Discretionary Access Controls - lchown
-
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
-
-
-
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+ IA-2
AC-3
CM-6(a)
+ Require Authentication for Emergency Systemd Target
-The audit system should collect detailed unauthorized file accesses for
-all users and root. The open syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via open syscall are collected.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - at
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Misuse of privileged functions, either intentionally or unintentionally by
@@ -128,46 +88,113 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - umount
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading
-At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+
+
+The place to add the lines depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the lines to file /etc/audit/audit.rules.
+
+
+The addition/removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
+to have an audit trail of modules that have been introduced into the kernel.
+
+
+
+ IA-2
CM-6(a)
+ Direct root Logins Not Allowed
+
+To further limit access to the root account, administrators
+can disable root logins at the console by editing the /etc/securetty file.
+This file lists all devices the root user is allowed to login to. If the file does
+not exist at all, the root user can login through any communication device on the
+system, whether via the console or via a raw network interface. This is dangerous
+as user can login to the system as root via Telnet, which sends the password in
+plain text over the network. By default, Oracle Linux 8's
+/etc/securetty file only allows the root user to login at the console
+physically attached to the system. To prevent root from logging in, remove the
+contents of this file. To prevent direct root logins, remove the contents of this
+file by typing the following command:
+
+$ sudo echo > /etc/securetty
+
+
+
+Disabling direct root logins ensures proper accountability and multifactor
+authentication to privileged accounts. Users will first login, then escalate
+to privileged (root) access via su / sudo. This is required for FISMA Low
+and FISMA Moderate systems.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - unlinkat
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - rmdir
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -59,6 +59,23 @@
Req-6.2
+ Ensure gpgcheck Enabled for All yum Package Repositories
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+
+
+
+ Req-6.2
Ensure gpgcheck Enabled In Main yum Configuration
The gpgcheck option controls whether
@@ -87,23 +104,6 @@
Req-6.2
- Ensure gpgcheck Enabled for All yum Package Repositories
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
-
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
-
-
-
- Req-6.2
Ensure Oracle Linux GPG Key Installed
To ensure the system can cryptographically verify base software
@@ -186,33 +186,33 @@
Req-7.1
- Verify /boot/grub2/grub.cfg User Ownership
+ Verify /boot/grub2/grub.cfg Group Ownership
The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
-Only root should be able to modify important boot parameters.
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
Req-7.1
- Verify /boot/grub2/grub.cfg Group Ownership
+ Verify /boot/grub2/grub.cfg User Ownership
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
@@ -318,6 +318,28 @@
Req-8.1.8
+ Enable GNOME3 Screensaver Lock After Idle Period
+
+
+To activate locking of the screensaver in the GNOME3 desktop when it is activated,
+add or set lock-enabled to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+lock-enabled=true
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/desktop/screensaver/lock-enabled
+After the settings have been set, run dconf update.
+
+
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
+of the information system but does not want to logout because of the temporary nature of the absense.
+
+
+
+ Req-8.1.8
Implement Blank Screensaver
@@ -342,18 +364,26 @@
Req-8.1.8
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
+ Set SSH Idle Timeout Interval
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+SSH allows administrators to set an idle timeout interval. After this interval
+has passed, the idle user will be automatically logged out.
+
+To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
+follows:
+ClientAliveInterval 300
+
+The timeout interval is given in seconds. For example, have a timeout
+of 10 minutes, set interval to 600.
+
+If a shorter timeout has already been set for the login shell, that value will
+preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
+some processes may stop SSH from correctly detecting that the user is idle.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+Terminating an idle ssh session within a short time period reduces the window of
+opportunity for unauthorized personnel to take control of a management session
+enabled on the console or console port that has been let unattended.
@@ -396,6 +426,29 @@
Req-8.1.8
+ Set SSH Client Alive Count Max to zero
+
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+
+To ensure the SSH idle timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
+
+
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
+
+
+
+ Req-8.1.8
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
@@ -417,14 +470,13 @@
Req-8.1.8
- Set GNOME3 Screensaver Lock Delay After Activation Period
+ Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
-To activate the locking delay of the screensaver in the GNOME3 desktop when
/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -42,76 +42,19 @@
Rationale
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Events that Modify the System's Discretionary Access Controls - lchown
-
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
-
-
-
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
-
-The audit system should collect detailed unauthorized file accesses for
-all users and root. The open syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via open syscall are collected.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-
-
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-
-
-
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - at
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
Misuse of privileged functions, either intentionally or unintentionally by
@@ -128,46 +71,113 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - umount
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading
-At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
+To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+
+
+The place to add the lines depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the lines to file /etc/audit/audit.rules.
+
+
+The addition/removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
+to have an audit trail of modules that have been introduced into the kernel.
+
+
+
+ IA-2
CM-6(a)
+ Direct root Logins Not Allowed
+
+To further limit access to the root account, administrators
+can disable root logins at the console by editing the /etc/securetty file.
+This file lists all devices the root user is allowed to login to. If the file does
+not exist at all, the root user can login through any communication device on the
+system, whether via the console or via a raw network interface. This is dangerous
+as user can login to the system as root via Telnet, which sends the password in
+plain text over the network. By default, Red Hat Enterprise Linux CoreOS 4's
+/etc/securetty file only allows the root user to login at the console
+physically attached to the system. To prevent root from logging in, remove the
+contents of this file. To prevent direct root logins, remove the contents of this
+file by typing the following command:
+
+$ sudo echo > /etc/securetty
+
+
+
+Disabling direct root logins ensures proper accountability and multifactor
+authentication to privileged accounts. Users will first login, then escalate
+to privileged (root) access via su / sudo. This is required for FISMA Low
+and FISMA Moderate systems.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - unlinkat
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - rmdir
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
+
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,69 +43,49 @@
BP28(R1)
- Uninstall talk Package
+ Uninstall DHCP Server Package
-The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
+If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp package can be removed with the following command:
-$ sudo yum erase talk
-
-
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
-
-
-
- BP28(R1)
- Uninstall tftp-server Package
-
-The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+$ sudo yum erase dhcp
-Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
+Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
BP28(R1)
- Uninstall ypserv Package
+ Remove telnet Clients
-The ypserv package can be removed with the following command:
-
-$ sudo yum erase ypserv
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the ypserv package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 7.
BP28(R1)
- Uninstall DHCP Server Package
+ Uninstall rsh-server Package
-If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp package can be removed with the following command:
+The rsh-server package can be removed with the following command:
-$ sudo yum erase dhcp
+$ sudo yum erase rsh-server
-Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
+The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
+could be compromised. The rsh-server package provides several obsolete and insecure
+network services. Removing it decreases the risk of those services' accidental (or intentional)
+activation.
@@ -122,17 +102,35 @@
BP28(R1)
- Remove tftp Daemon
+ Uninstall ypserv Package
-Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
+The ypserv package can be removed with the following command:
+
+$ sudo yum erase ypserv
-It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
+The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
+
+
+
+ BP28(R1)
+ Uninstall Sendmail Package
+
+Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
+
+$ sudo yum erase sendmail
+
+
+The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
@@ -161,32 +159,52 @@
BP28(R1)
- Uninstall rsh-server Package
+ Remove tftp Daemon
-The rsh-server package can be removed with the following command:
-
-$ sudo yum erase rsh-server
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+tftp is a client program that allows for connections to a tftp server.
-The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
BP28(R1)
- Uninstall xinetd Package
+ Remove NIS Client
-The xinetd package can be removed with the following command:
+The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
+
+
+The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
+
+
+
+ BP28(R1)
+ Uninstall talk Package
+
+The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
-$ sudo yum erase xinetd
+$ sudo yum erase talk
/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -98,6 +98,21 @@
1.1.1.3
+ Disable Mounting of jffs2
+
+
+To configure the system to prevent the jffs2
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
+install jffs2 /bin/true
+This effectively prevents usage of this uncommon filesystem.
+
+
+Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+
+
+
+ 1.1.1.3
Disable Mounting of udf
@@ -118,21 +133,6 @@
- 1.1.1.3
- Disable Mounting of jffs2
-
-
-To configure the system to prevent the jffs2
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
-install jffs2 /bin/true
-This effectively prevents usage of this uncommon filesystem.
-
-
-Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.
-
-
-
1.1.1.4
Disable Mounting of hfs
@@ -553,6 +553,23 @@
1.2.3
+ Ensure gpgcheck Enabled for All yum Package Repositories
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+
+
+
+ 1.2.3
Ensure gpgcheck Enabled In Main yum Configuration
The gpgcheck option controls whether
@@ -581,23 +598,6 @@
1.2.3
- Ensure gpgcheck Enabled for All yum Package Repositories
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
-
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
-
-
-
- 1.2.3
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software packages
@@ -646,18 +646,6 @@
1.3.1
- Install AIDE
-
-The aide package can be installed with the following command:
-
-$ sudo yum install aide
-
-
-The AIDE package must be installed if it is to be available for integrity checking.
-
-
-
- 1.3.1
Build and Test AIDE Database
Run the following command to generate a new database:
@@ -689,6 +677,18 @@
+ 1.3.1
+ Install AIDE
+
+The aide package can be installed with the following command:
+
+$ sudo yum install aide
+
+
+The AIDE package must be installed if it is to be available for integrity checking.
+
+
+
1.3.2
Configure Periodic Execution of AIDE
@@ -763,20 +763,6 @@
1.4.2
- Verify the UEFI Boot Loader grub.cfg Permissions
-
-File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700.
-
-To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
-
-
-Proper permissions ensure that only the root user can modify important boot
-parameters.
-
-
-
- 1.4.2
Verify the UEFI Boot Loader grub.cfg User Ownership
The file /boot/efi/EFI/redhat/grub.cfg should
@@ -808,6 +794,36 @@
1.4.2
+ Verify the UEFI Boot Loader grub.cfg Permissions
+
+File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700.
+
+To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
+
+
+Proper permissions ensure that only the root user can modify important boot
+parameters.
+
+
+
+ 1.4.2
+ Verify /boot/grub2/grub.cfg Group Ownership
+
+The file /boot/grub2/grub.cfg should
+be group-owned by the root group to prevent
+destruction or modification of the file.
+
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
+
+
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
+
+
+
+ 1.4.2
Verify /boot/grub2/grub.cfg Permissions
File permissions for /boot/grub2/grub.cfg should be set to 600.
@@ -836,22 +852,6 @@
- 1.4.2
- Verify /boot/grub2/grub.cfg Group Ownership
-
-The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,78 +43,36 @@
3.1.1
3.1.5
- Disable SSH Root Login
-
-The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
-
-
-Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
-
-
-
- 3.1.1
- Disable GDM Automatic Login
-
-The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the AutomaticLoginEnable to false in the
-[daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-AutomaticLoginEnable=false
-
-
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
-
-
-
- 3.1.1
- Disable GDM Guest Login
+ Restrict Virtual Console Root Logins
-The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
- 3.1.1
3.1.5
- Verify Only Root Has UID 0
+ 3.1.1
3.4.5
+ Require Authentication for Emergency Systemd Target
-If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
-An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
@@ -144,37 +102,20 @@
- 3.1.1
3.1.5
- Restrict Virtual Console Root Logins
-
-To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
-
-
-Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.
-
-
-
- 3.1.1
3.4.5
- Require Authentication for Emergency Systemd Target
+ 3.1.1
+ Disable GDM Automatic Login
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the AutomaticLoginEnable to false in the
+[daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+AutomaticLoginEnable=false
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+Failure to restrict system access to authenticated users negatively impacts operating
+system security.
@@ -204,17 +145,23 @@
3.1.1
3.1.5
- Restrict Serial Port Root Logins
+ Disable SSH Root Login
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
+The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
+Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
@@ -237,6 +184,59 @@
3.1.1
3.1.5
+ Verify Only Root Has UID 0
+
+If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+
+
+An account has root authority if it has a UID of 0. Multiple accounts
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -42,76 +42,36 @@
Rationale
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Events that Modify the System's Discretionary Access Controls - lchown
-
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
-
-
-
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+ IA-2
AC-3
CM-6(a)
+ Require Authentication for Emergency Systemd Target
-The audit system should collect detailed unauthorized file accesses for
-all users and root. The open syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via open syscall are collected.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - at
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
Misuse of privileged functions, either intentionally or unintentionally by
@@ -128,18 +88,113 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - umount
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading
+
+To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+
+
+The place to add the lines depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the lines to file /etc/audit/audit.rules.
+
+
+The addition/removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
+to have an audit trail of modules that have been introduced into the kernel.
+
+
+
+ IA-2
CM-6(a)
+ Direct root Logins Not Allowed
+
+To further limit access to the root account, administrators
+can disable root logins at the console by editing the /etc/securetty file.
+This file lists all devices the root user is allowed to login to. If the file does
+not exist at all, the root user can login through any communication device on the
+system, whether via the console or via a raw network interface. This is dangerous
+as user can login to the system as root via Telnet, which sends the password in
+plain text over the network. By default, Red Hat Enterprise Linux 7's
+/etc/securetty file only allows the root user to login at the console
+physically attached to the system. To prevent root from logging in, remove the
+contents of this file. To prevent direct root logins, remove the contents of this
+file by typing the following command:
+
+$ sudo echo > /etc/securetty
+
+
+
+Disabling direct root logins ensures proper accountability and multifactor
+authentication to privileged accounts. Users will first login, then escalate
+to privileged (root) access via su / sudo. This is required for FISMA Low
+and FISMA Moderate systems.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - unlinkat
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+
+
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - rmdir
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+
+
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+
+
+
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
+ Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,23 +43,24 @@
FAU_GEN.1
- Enable Auditing for Processes Which Start Prior to the Audit Daemon
+ Enable auditd Service
-To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
-Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
@@ -88,24 +89,23 @@
FAU_GEN.1
- Enable auditd Service
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
-The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
-Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
@@ -123,75 +123,126 @@
FAU_GEN.1.1.c
- Record Events that Modify the System's Discretionary Access Controls - lchown
+ Configure auditd to use audispd's syslog plugin
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+To configure the auditd service to use the
+syslog plug-in of the audispd audit event multiplexor, set
+the active line in /etc/audisp/plugins.d/syslog.conf to yes.
+Restart the auditd service:
+$ sudo service auditd restart
+
+
+The auditd service does not include the ability to send audit
+records to a centralized server for management directly. It does, however,
+include a plug-in for audit event multiplexor (audispd) to pass audit records
+to the local syslog server
+
+
+
+ FAU_GEN.1.1.c
+ Encrypt Audit Records Sent With audispd Plugin
+
+Configure the operating system to encrypt the transfer of off-loaded audit
+records onto a different system or media from the system being audited.
+
+Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf
,
+and set it with the following line:
+enable_krb5 = yes
+
+
+Information stored in one location is vulnerable to accidental or incidental deletion
+or alteration. Off-loading is a common process in information systems with limited
+audit storage capacity.
+
+
+
+ FAU_GEN.1.1.c
+ Ensure auditd Collects File Deletion Events by User - unlinkat
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
FAU_GEN.1.1.c
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+ Ensure auditd Collects File Deletion Events by User - rmdir
-The audit system should collect detailed unauthorized file accesses for
-all users and root. The open syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via open syscall are collected.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -59,6 +59,23 @@
Req-6.2
+ Ensure gpgcheck Enabled for All yum Package Repositories
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+
+
+
+ Req-6.2
Ensure gpgcheck Enabled In Main yum Configuration
The gpgcheck option controls whether
@@ -87,23 +104,6 @@
Req-6.2
- Ensure gpgcheck Enabled for All yum Package Repositories
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
-
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
-
-
-
- Req-6.2
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software packages
@@ -187,33 +187,33 @@
Req-7.1
- Verify /boot/grub2/grub.cfg User Ownership
+ Verify /boot/grub2/grub.cfg Group Ownership
The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
-Only root should be able to modify important boot parameters.
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
Req-7.1
- Verify /boot/grub2/grub.cfg Group Ownership
+ Verify /boot/grub2/grub.cfg User Ownership
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
@@ -319,6 +319,28 @@
Req-8.1.8
+ Enable GNOME3 Screensaver Lock After Idle Period
+
+
+To activate locking of the screensaver in the GNOME3 desktop when it is activated,
+add or set lock-enabled to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+lock-enabled=true
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/desktop/screensaver/lock-enabled
+After the settings have been set, run dconf update.
+
+
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
+of the information system but does not want to logout because of the temporary nature of the absense.
+
+
+
+ Req-8.1.8
Implement Blank Screensaver
@@ -343,18 +365,26 @@
Req-8.1.8
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
+ Set SSH Idle Timeout Interval
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+SSH allows administrators to set an idle timeout interval. After this interval
+has passed, the idle user will be automatically logged out.
+
+To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
+follows:
+ClientAliveInterval 300
+
+The timeout interval is given in seconds. For example, have a timeout
+of 10 minutes, set interval to 600.
+
+If a shorter timeout has already been set for the login shell, that value will
+preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
+some processes may stop SSH from correctly detecting that the user is idle.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+Terminating an idle ssh session within a short time period reduces the window of
+opportunity for unauthorized personnel to take control of a management session
+enabled on the console or console port that has been let unattended.
@@ -397,6 +427,29 @@
Req-8.1.8
+ Set SSH Client Alive Count Max to zero
+
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+
+To ensure the SSH idle timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
+
+
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
+
+
+
+ Req-8.1.8
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
@@ -418,14 +471,13 @@
Req-8.1.8
- Set GNOME3 Screensaver Lock Delay After Activation Period
+ Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
-To activate the locking delay of the screensaver in the GNOME3 desktop when
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,69 +43,49 @@
BP28(R1)
- Uninstall talk Package
+ Uninstall DHCP Server Package
-The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
+If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The dhcp-server package can be removed with the following command:
-$ sudo yum erase talk
-
-
-The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
-
-
-
- BP28(R1)
- Uninstall tftp-server Package
-
-The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+$ sudo yum erase dhcp-server
-Removing the tftp-server package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
+Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
BP28(R1)
- Uninstall ypserv Package
+ Remove telnet Clients
-The ypserv package can be removed with the following command:
-
-$ sudo yum erase ypserv
+The telnet client allows users to start connections to other systems via
+the telnet protocol.
-The NIS service provides an unencrypted authentication service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session.
-
-Removing the ypserv package decreases the risk of the accidental
-(or intentional) activation of NIS or NIS+ services.
+The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.
BP28(R1)
- Uninstall DHCP Server Package
+ Uninstall rsh-server Package
-If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The dhcp-server package can be removed with the following command:
+The rsh-server package can be removed with the following command:
-$ sudo yum erase dhcp-server
+$ sudo yum erase rsh-server
-Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
+The rsh-server service provides unencrypted remote access service which does not
+provide for the confidentiality and integrity of user passwords or the remote session and has very weak
+authentication. If a privileged user were to login using this service, the privileged user password
+could be compromised. The rsh-server package provides several obsolete and insecure
+network services. Removing it decreases the risk of those services' accidental (or intentional)
+activation.
@@ -122,17 +102,35 @@
BP28(R1)
- Remove tftp Daemon
+ Uninstall ypserv Package
-Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
+The ypserv package can be removed with the following command:
+
+$ sudo yum erase ypserv
-It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
+The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
+
+
+
+ BP28(R1)
+ Uninstall Sendmail Package
+
+Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
+
+$ sudo yum erase sendmail
+
+
+The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
@@ -161,32 +159,52 @@
BP28(R1)
- Uninstall rsh-server Package
+ Remove tftp Daemon
-The rsh-server package can be removed with the following command:
-
-$ sudo yum erase rsh-server
+Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+tftp is a client program that allows for connections to a tftp server.
-The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
BP28(R1)
- Uninstall xinetd Package
+ Remove NIS Client
-The xinetd package can be removed with the following command:
+The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
+
+
+The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
+
+
+
+ BP28(R1)
+ Uninstall talk Package
+
+The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
-$ sudo yum erase xinetd
+$ sudo yum erase talk
/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -672,20 +672,6 @@
1.5.1
- Verify the UEFI Boot Loader grub.cfg Permissions
-
-File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700.
-
-To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
-
-
-Proper permissions ensure that only the root user can modify important boot
-parameters.
-
-
-
- 1.5.1
Verify the UEFI Boot Loader grub.cfg User Ownership
The file /boot/efi/EFI/redhat/grub.cfg should
@@ -717,6 +703,36 @@
1.5.1
+ Verify the UEFI Boot Loader grub.cfg Permissions
+
+File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700.
+
+To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
+
+
+Proper permissions ensure that only the root user can modify important boot
+parameters.
+
+
+
+ 1.5.1
+ Verify /boot/grub2/grub.cfg Group Ownership
+
+The file /boot/grub2/grub.cfg should
+be group-owned by the root group to prevent
+destruction or modification of the file.
+
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
+
+
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
+
+
+
+ 1.5.1
Verify /boot/grub2/grub.cfg Permissions
File permissions for /boot/grub2/grub.cfg should be set to 600.
@@ -745,22 +761,6 @@
- 1.5.1
- Verify /boot/grub2/grub.cfg Group Ownership
-
-The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
-
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
-
-
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
-
-
-
1.5.2
Set the UEFI Boot Loader Password
@@ -841,20 +841,17 @@
1.6.1
- Disable storing core dump
+ Disable Core Dumps for All Users
-The Storage option in [Coredump] section
-of /etc/systemd/coredump.conf
-can be set to none to disable storing core dumps permanently.
+To disable core dumps for all users, add the following line to
+/etc/security/limits.conf, or to a file within the
+/etc/security/limits.d/ directory:
+* hard core 0
A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data
-and is generally useful only for developers or system operators trying to
-debug problems. Enabling core dumps on production systems is not recommended,
-however there may be overriding operational requirements to enable advanced
-debuging. Permitting temporary enablement of core dumps during such situations
-should be reviewed through local needs and policy.
+terminates an application. The memory image could contain sensitive data and is generally useful
+only for developers trying to debug problems.
@@ -881,17 +878,20 @@
1.6.1
- Disable Core Dumps for All Users
+ Disable storing core dump
-To disable core dumps for all users, add the following line to
-/etc/security/limits.conf, or to a file within the
-/etc/security/limits.d/ directory:
-* hard core 0
+The Storage option in [Coredump] section
+of /etc/systemd/coredump.conf
+can be set to none to disable storing core dumps permanently.
A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data and is generally useful
-only for developers trying to debug problems.
+terminates an application. The memory image could contain sensitive data
+and is generally useful only for developers or system operators trying to
+debug problems. Enabling core dumps on production systems is not recommended,
+however there may be overriding operational requirements to enable advanced
+debuging. Permitting temporary enablement of core dumps during such situations
+should be reviewed through local needs and policy.
@@ -1158,35 +1158,46 @@
- 1.8.1.4
- Verify permissions on Message of the Day Banner
+ 1.8.1.4
1.8.1.5
1.8.1.6
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
+ Verify and Correct File Permissions with RPM
-
-To properly set the permissions of /etc/motd, run the command:
-$ sudo chmod 0644 /etc/motd
+The RPM package management system can check file access permissions
+of installed software packages, including many that are important
+to system security.
+Verify that the file permissions of system files
+and commands match vendor values. Check the file permissions
+with the following command:
+$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
+Output indicates files that do not match vendor defaults.
+After locating a file with incorrect permissions,
+run the following command to determine which package owns it:
+$ rpm -qf FILENAME
+
+Next, run the following command to reset its permissions to
+the correct values:
+$ sudo rpm --setperms PACKAGENAME
-Display of a standardized and approved use notification before granting
-access to the operating system ensures privacy and security notification
-verbiage used is consistent with applicable federal laws, Executive Orders,
-directives, policies, regulations, standards, and guidance.
-Proper permissions will ensure that only root user can modify the banner.
+Permissions on system binaries and configuration files that are too generous
+could allow an unauthorized user to gain privileges that they should not have.
+The permissions set by the vendor should be maintained. Any deviations from
+this baseline should be investigated.
1.8.1.4
- Verify Group Ownership of Message of the Day Banner
+ Verify permissions on Message of the Day Banner
-To properly set the group owner of /etc/motd, run the command:
-$ sudo chgrp root /etc/motd
+To properly set the permissions of /etc/motd, run the command:
+$ sudo chmod 0644 /etc/motd
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
-Proper group ownership will ensure that only root user can modify the banner.
+Proper permissions will ensure that only root user can modify the banner.
/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -43,78 +43,36 @@
3.1.1
3.1.5
- Disable SSH Root Login
-
-The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
-
-
-Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
-
-
-
- 3.1.1
- Disable GDM Automatic Login
-
-The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the AutomaticLoginEnable to false in the
-[daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-AutomaticLoginEnable=false
-
-
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
-
-
-
- 3.1.1
- Disable GDM Guest Login
+ Restrict Virtual Console Root Logins
-The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
-Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
- 3.1.1
3.1.5
- Verify Only Root Has UID 0
+ 3.1.1
3.4.5
+ Require Authentication for Emergency Systemd Target
-If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
-An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
@@ -144,37 +102,20 @@
- 3.1.1
3.1.5
- Restrict Virtual Console Root Logins
-
-To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
-
-
-Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.
-
-
-
- 3.1.1
3.4.5
- Require Authentication for Emergency Systemd Target
+ 3.1.1
+ Disable GDM Automatic Login
-Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the AutomaticLoginEnable to false in the
+[daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+AutomaticLoginEnable=false
-This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+Failure to restrict system access to authenticated users negatively impacts operating
+system security.
@@ -204,17 +145,23 @@
3.1.1
3.1.5
- Restrict Serial Port Root Logins
+ Disable SSH Root Login
-To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
+The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
-Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
+Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
@@ -237,6 +184,59 @@
3.1.1
3.1.5
+ Verify Only Root Has UID 0
+
+If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+
+
+An account has root authority if it has a UID of 0. Multiple accounts
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -42,76 +42,36 @@
Rationale
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Events that Modify the System's Discretionary Access Controls - lchown
-
-At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-
-
-The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
-
-
-
- AU-2(d)
AU-12(c)
CM-6(a)
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+ IA-2
AC-3
CM-6(a)
+ Require Authentication for Emergency Systemd Target
-The audit system should collect detailed unauthorized file accesses for
-all users and root. The open syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via open syscall are collected.
-If the auditd daemon is configured to use the augenrules
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix .rules in the directory
-/etc/audit/rules.d.
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the rules below to
-/etc/audit/audit.rules file.
-
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-
+Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
-Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - at
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Misuse of privileged functions, either intentionally or unintentionally by
@@ -128,46 +88,113 @@
AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a)
- Ensure auditd Collects Information on the Use of Privileged Commands - umount
+ Ensure auditd Collects Information on Kernel Module Loading and Unloading
-At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the auditd daemon is
-configured to use the augenrules program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules
+
+
+The place to add the lines depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the lines to file /etc/audit/audit.rules.
+
+
+The addition/removal of kernel modules can be used to alter the behavior of
+the kernel and potentially introduce malicious code into kernel space. It is important
+to have an audit trail of modules that have been introduced into the kernel.
+
+
+
+ IA-2
CM-6(a)
+ Direct root Logins Not Allowed
+
+To further limit access to the root account, administrators
+can disable root logins at the console by editing the /etc/securetty file.
+This file lists all devices the root user is allowed to login to. If the file does
+not exist at all, the root user can login through any communication device on the
+system, whether via the console or via a raw network interface. This is dangerous
+as user can login to the system as root via Telnet, which sends the password in
+plain text over the network. By default, Red Hat Enterprise Linux 8's
+/etc/securetty file only allows the root user to login at the console
+physically attached to the system. To prevent root from logging in, remove the
+contents of this file. To prevent direct root logins, remove the contents of this
+file by typing the following command:
+
+$ sudo echo > /etc/securetty
+
+
+
+Disabling direct root logins ensures proper accountability and multifactor
+authentication to privileged accounts. Users will first login, then escalate
+to privileged (root) access via su / sudo. This is required for FISMA Low
+and FISMA Moderate systems.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - unlinkat
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add a line of the following
-form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.
+Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+
+
+
+ AU-2(d)
AU-12(c)
CM-6(a)
+ Ensure auditd Collects File Deletion Events by User - rmdir
+
+At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-06-27 00:00:00.000000000 +0000
@@ -59,6 +59,23 @@
Req-6.2
+ Ensure gpgcheck Enabled for All yum Package Repositories
+
+To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+
+
+Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+
+
+
+ Req-6.2
Ensure gpgcheck Enabled In Main yum Configuration
The gpgcheck option controls whether
@@ -87,23 +104,6 @@
Req-6.2
- Ensure gpgcheck Enabled for All yum Package Repositories
-
-To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
-
-
-Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
-
-
-
- Req-6.2
Ensure Red Hat GPG Key Installed
To ensure the system can cryptographically verify base software packages
@@ -187,33 +187,33 @@
Req-7.1
- Verify /boot/grub2/grub.cfg User Ownership
+ Verify /boot/grub2/grub.cfg Group Ownership
The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
-Only root should be able to modify important boot parameters.
+The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
Req-7.1
- Verify /boot/grub2/grub.cfg Group Ownership
+ Verify /boot/grub2/grub.cfg User Ownership
The file /boot/grub2/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chgrp root /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
-The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+Only root should be able to modify important boot parameters.
@@ -319,6 +319,28 @@
Req-8.1.8
+ Enable GNOME3 Screensaver Lock After Idle Period
+
+
+To activate locking of the screensaver in the GNOME3 desktop when it is activated,
+add or set lock-enabled to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+lock-enabled=true
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/desktop/screensaver/lock-enabled
+After the settings have been set, run dconf update.
+
+
+A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
+of the information system but does not want to logout because of the temporary nature of the absense.
+
+
+
+ Req-8.1.8
Implement Blank Screensaver
@@ -343,18 +365,26 @@
Req-8.1.8
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
+ Set SSH Idle Timeout Interval
-If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+SSH allows administrators to set an idle timeout interval. After this interval
+has passed, the idle user will be automatically logged out.
+
+To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
+follows:
+ClientAliveInterval 300
+
+The timeout interval is given in seconds. For example, have a timeout
+of 10 minutes, set interval to 600.
+
+If a shorter timeout has already been set for the login shell, that value will
+preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
+some processes may stop SSH from correctly detecting that the user is idle.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+Terminating an idle ssh session within a short time period reduces the window of
+opportunity for unauthorized personnel to take control of a management session
+enabled on the console or console port that has been let unattended.
@@ -397,6 +427,29 @@
Req-8.1.8
+ Set SSH Client Alive Count Max to zero
+
+The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+
+To ensure the SSH idle timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
+
+
+This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
+
+
+
+ Req-8.1.8
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
@@ -418,14 +471,13 @@
Req-8.1.8
- Set GNOME3 Screensaver Lock Delay After Activation Period
+ Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
-To activate the locking delay of the screensaver in the GNOME3 desktop when
/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-06-27 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1 DISA STIG for Red Hat Enterprise Linux 7
+1 DISA STIG for Red Hat Enterprise Linux 7
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux V3R7.
/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-06-27 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1 DISA STIG for Red Hat Enterprise Linux 8
+1 DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux 8 V1R6.
/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -210,39 +210,40 @@
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -250,19 +251,29 @@
-
+
-
-
+
-
-
+
-
+
+
+
+
+
+
+
+
@@ -275,45 +286,39 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
@@ -321,9 +326,9 @@
-
+
-
@@ -335,14 +340,9 @@
-
-
-
-
-
+
-
@@ -1285,22 +1285,6 @@
1.5.4
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
- # prelink not installed
-if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
- if grep -q ^PRELINKING /etc/sysconfig/prelink
- then
- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
- else
- printf '\n' >> /etc/sysconfig/prelink
- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
- fi
-
- # Undo previous prelink changes to binaries if prelink is available.
- if test -x /usr/sbin/prelink; then
- /usr/sbin/prelink -ua
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -212,39 +212,40 @@
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -252,19 +253,29 @@
-
+
-
-
+
-
-
+
-
+
+
+
+
+
+
+
+
@@ -277,45 +288,39 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
@@ -323,9 +328,9 @@
-
+
-
@@ -337,14 +342,9 @@
-
-
-
-
-
+
-
@@ -1287,22 +1287,6 @@
1.5.4
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
- # prelink not installed
-if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
- if grep -q ^PRELINKING /etc/sysconfig/prelink
- then
- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
- else
- printf '\n' >> /etc/sysconfig/prelink
- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
- fi
-
- # Undo previous prelink changes to binaries if prelink is available.
- if test -x /usr/sbin/prelink; then
- /usr/sbin/prelink -ua
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
@@ -56,39 +56,40 @@
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -96,19 +97,29 @@
-
+
-
-
+
-
-
+
-
+
+
+
+
+
+
+
+
@@ -121,45 +132,39 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
@@ -167,9 +172,9 @@
-
+
-
@@ -181,14 +186,9 @@
-
-
-
-
-
+
-
@@ -1131,22 +1131,6 @@
1.5.4
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
- # prelink not installed
-if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
- if grep -q ^PRELINKING /etc/sysconfig/prelink
- then
- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
- else
- printf '\n' >> /etc/sysconfig/prelink
- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
- fi
-
- # Undo previous prelink changes to binaries if prelink is available.
- if test -x /usr/sbin/prelink; then
- /usr/sbin/prelink -ua
/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -246,39 +246,40 @@
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -286,34 +287,29 @@
-
-
-
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -321,29 +317,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -351,15 +347,19 @@
-
+
-
-
-
-
+
+
+
+
+
+
@@ -367,9 +367,9 @@
-
+
-
@@ -381,14 +381,14 @@
-
+
-
-
+
-
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -248,39 +248,40 @@
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -288,34 +289,29 @@
-
-
-
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -323,29 +319,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -353,15 +349,19 @@
-
+
-
-
-
-
+
+
+
+
+
+
@@ -369,9 +369,9 @@
-
+
-
@@ -383,14 +383,14 @@
-
+
-
-
+
-
/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
@@ -56,39 +56,40 @@
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -96,34 +97,29 @@
-
-
-
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -131,29 +127,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -161,15 +157,19 @@
-
+
-
-
-
-
+
+
+
+
+
+
@@ -177,9 +177,9 @@
-
+
-
@@ -191,14 +191,14 @@
-
+
-
-
+
-
/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -194,69 +194,70 @@
-
+
-
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -264,60 +265,59 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -7360,28 +7360,6 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.
-
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -196,69 +196,70 @@
-
+
-
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -266,60 +267,59 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -7362,28 +7362,6 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.
-
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
@@ -56,69 +56,70 @@
-
+
-
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -126,60 +127,59 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -7222,28 +7222,6 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.
-
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -180,29 +180,35 @@
-
+
-
-
+
-
-
+
+
+
+
+
-
-
+
-
-
+
-
@@ -210,19 +216,24 @@
-
+
-
-
+
-
-
+
-
+
+
+
+
@@ -235,50 +246,44 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
-
+
-
@@ -290,14 +295,9 @@
-
-
-
-
-
+
-
@@ -1739,15 +1739,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-dnf reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -1879,6 +1870,15 @@
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+dnf reinstall -y $packages_to_reinstall
+
@@ -2018,32 +2018,6 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
-
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -180,29 +180,35 @@
-
+
-
-
+
-
-
+
+
+
+
+
-
-
+
-
-
+
-
@@ -210,19 +216,24 @@
-
+
-
-
+
-
-
+
-
+
+
+
+
@@ -235,50 +246,44 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
-
+
-
@@ -290,14 +295,9 @@
-
-
-
-
-
+
-
@@ -1739,15 +1739,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-dnf reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -1879,6 +1870,15 @@
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+dnf reinstall -y $packages_to_reinstall
+
@@ -2018,32 +2018,6 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
-
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-06-27 00:00:00.000000000 +0000
@@ -7,652 +7,646 @@
2022-06-27T00:00:00
-
- Configure SSSD's Memory Cache to Expire
-
- ocil:ssg-sssd_memcache_timeout_action:testaction:1
-
-
-
- Verify Group Who Owns Backup passwd File
+
+ Record Successful Access Attempts to Files - creat
- ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_creat_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lchown
+
+ Ensure PAM Enforces Password Requirements - Minimum Special Characters
- ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1
+ ocil:ssg-accounts_password_pam_ocredit_action:testaction:1
-
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+
+ Restrict usage of ptrace to descendant processes
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
+ ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1
-
- Set PAM's Password Hashing Algorithm
+
+ Warn on W+X mappings found at boot
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-kernel_config_debug_wx_action:testaction:1
-
- Configure SSSD to Expire Offline Credentials
+
+ Restrict Virtual Console Root Logins
- ocil:ssg-sssd_offline_cred_expiration_action:testaction:1
+ ocil:ssg-securetty_root_login_console_only_action:testaction:1
-
- Record Successful Access Attempts to Files - openat
+
+ Ensure All Accounts on the System Have Unique Names
- ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
+ ocil:ssg-account_unique_name_action:testaction:1
-
- Disable XDMCP in GDM
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Require Authentication for Emergency Systemd Target
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-require_emergency_target_auth_action:testaction:1
-
- Enable Encrypted X11 Forwarding
+
+ Ensure /var/log/audit Located On Separate Partition
- ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1
+ ocil:ssg-partition_for_var_log_audit_action:testaction:1
-
- Install tar Package
+
+ Disable SSH Support for .rhosts Files
- ocil:ssg-package_tar_installed_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_action:testaction:1
-
- Ensure /boot Located On Separate Partition
+
+ Encrypt Audit Records Sent With audispd Plugin
- ocil:ssg-partition_for_boot_action:testaction:1
+ ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1
-
- Disable SSH Support for Rhosts RSA Authentication
+
+ Verify Group Who Owns /var/log/messages File
- ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1
+ ocil:ssg-file_groupowner_var_log_messages_action:testaction:1
-
- Enable cron Service
+
+ Ensure invoking users password for privilege escalation when using sudo
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-sudoers_validate_passwd_action:testaction:1
-
- Disable kernel support for MISC binaries
+
+ Disable Access to Network bpf() Syscall From Unprivileged Processes
- ocil:ssg-kernel_config_binfmt_misc_action:testaction:1
+ ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_action:testaction:1
-
- Install sssd-ipa Package
+
+ Configure GnuTLS library to use DoD-approved TLS Encryption
- ocil:ssg-package_sssd-ipa_installed_action:testaction:1
+ ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1
-
- Disable X Windows Startup By Setting Default Target
+
+ Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
- ocil:ssg-xwindows_runlevel_target_action:testaction:1
+ ocil:ssg-accounts_password_pam_dictcheck_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Enable the NTP Daemon
- ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1
+ ocil:ssg-service_ntpd_enabled_action:testaction:1
-
- Disable vsyscall emulate execution only
+
+ Enable different security models
- ocil:ssg-kernel_config_legacy_vsyscall_xonly_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
-
- Enable dnf-automatic Timer
+
+ Strong Stack Protector
- ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1
+ ocil:ssg-kernel_config_stackprotector_strong_action:testaction:1
-
- Add nodev Option to /tmp
+
+ Configure Kernel Parameter for Accepting Secure Redirects By Default
- ocil:ssg-mount_option_tmp_nodev_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - at
+
+ Ensure rsyslog is Installed
- ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
@@ -48,29 +48,35 @@
-
+
-
-
+
-
-
+
+
+
+
+
-
-
+
-
-
+
-
@@ -78,19 +84,24 @@
-
+
-
-
+
-
-
+
-
+
+
+
+
@@ -103,50 +114,44 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
-
+
-
@@ -158,14 +163,9 @@
-
-
-
-
-
+
-
@@ -1607,15 +1607,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-dnf reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -1747,6 +1738,15 @@
- restrict_strategy
- rpm_verify_hashes
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+dnf reinstall -y $packages_to_reinstall
+
@@ -1886,32 +1886,6 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
-
/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -172,34 +172,35 @@
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -207,14 +208,24 @@
-
+
-
-
+
-
+
+
+
+
+
+
+
+
@@ -227,45 +238,39 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
@@ -273,9 +278,9 @@
-
+
-
@@ -287,14 +292,9 @@
-
-
-
-
-
+
-
@@ -5543,22 +5543,6 @@
SRG-OS-000396-VMM-001590
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
- # prelink not installed
-if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
- if grep -q ^PRELINKING /etc/sysconfig/prelink
- then
- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
- else
- printf '\n' >> /etc/sysconfig/prelink
- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
- fi
-
- # Undo previous prelink changes to binaries if prelink is available.
- if test -x /usr/sbin/prelink; then
- /usr/sbin/prelink -ua
- fi
-fi
-
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
@@ -5595,6 +5579,22 @@
- no_reboot_needed
- restrict_strategy
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -174,34 +174,35 @@
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -209,14 +210,24 @@
-
+
-
-
+
-
+
+
+
+
+
+
+
+
@@ -229,45 +240,39 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
@@ -275,9 +280,9 @@
-
+
-
@@ -289,14 +294,9 @@
-
-
-
-
-
+
-
@@ -5545,22 +5545,6 @@
SRG-OS-000396-VMM-001590
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
- # prelink not installed
-if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
- if grep -q ^PRELINKING /etc/sysconfig/prelink
- then
- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
- else
- printf '\n' >> /etc/sysconfig/prelink
- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
- fi
-
- # Undo previous prelink changes to binaries if prelink is available.
- if test -x /usr/sbin/prelink; then
- /usr/sbin/prelink -ua
- fi
-fi
-
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
@@ -5597,6 +5581,22 @@
- no_reboot_needed
- restrict_strategy
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-06-27 00:00:00.000000000 +0000
@@ -7,1690 +7,1690 @@
2022-06-27T00:00:00
-
- Configure SSSD's Memory Cache to Expire
+
+ Record Successful Access Attempts to Files - creat
- ocil:ssg-sssd_memcache_timeout_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_creat_action:testaction:1
-
- Verify Group Who Owns Backup passwd File
+
+ Ensure PAM Enforces Password Requirements - Minimum Special Characters
- ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1
+ ocil:ssg-accounts_password_pam_ocredit_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lchown
+
+ Add noexec Option to /var/tmp
- ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1
+ ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1
-
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+
+ Restrict usage of ptrace to descendant processes
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
+ ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1
-
- Set PAM's Password Hashing Algorithm
+
+ Restrict Virtual Console Root Logins
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-securetty_root_login_console_only_action:testaction:1
-
- Configure SSSD to Expire Offline Credentials
+
+ Ensure All Accounts on the System Have Unique Names
- ocil:ssg-sssd_offline_cred_expiration_action:testaction:1
+ ocil:ssg-account_unique_name_action:testaction:1
-
- Mount Remote Filesystems with nosuid
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-mount_option_nosuid_remote_filesystems_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Record Successful Access Attempts to Files - openat
+
+ Require Authentication for Emergency Systemd Target
- ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
+ ocil:ssg-require_emergency_target_auth_action:testaction:1
-
- Disable XDMCP in GDM
+
+ Ensure /var/log/audit Located On Separate Partition
- ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1
+ ocil:ssg-partition_for_var_log_audit_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Disable SSH Support for .rhosts Files
- ocil:ssg-auditd_log_format_action:testaction:1
+ ocil:ssg-sshd_disable_rhosts_action:testaction:1
-
- Disable KDump Kernel Crash Analyzer (kdump)
+
+ Disable rexec Service
- ocil:ssg-service_kdump_disabled_action:testaction:1
+ ocil:ssg-service_rexec_disabled_action:testaction:1
-
- Enable Encrypted X11 Forwarding
+
+ Encrypt Audit Records Sent With audispd Plugin
- ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1
+ ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1
-
- Install tar Package
+
+ Verify Group Who Owns /var/log/messages File
- ocil:ssg-package_tar_installed_action:testaction:1
+ ocil:ssg-file_groupowner_var_log_messages_action:testaction:1
-
- Ensure /boot Located On Separate Partition
+
+ Ensure invoking users password for privilege escalation when using sudo
- ocil:ssg-partition_for_boot_action:testaction:1
+ ocil:ssg-sudoers_validate_passwd_action:testaction:1
-
- Disable SSH Support for Rhosts RSA Authentication
+
+ Elevate The SELinux Context When An Administrator Calls The Sudo Command
- ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1
+ ocil:ssg-selinux_context_elevation_for_sudo_action:testaction:1
-
- Enable cron Service
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
- ocil:ssg-service_cron_enabled_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1
-
- Disable kernel support for MISC binaries
+
+ Enable the NTP Daemon
- ocil:ssg-kernel_config_binfmt_misc_action:testaction:1
+ ocil:ssg-service_ntpd_enabled_action:testaction:1
-
- Install sssd-ipa Package
+
+ Enable different security models
- ocil:ssg-package_sssd-ipa_installed_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Configure Kernel Parameter for Accepting Secure Redirects By Default
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
-
- Disable the polyinstantiation_enabled SELinux Boolean
+
+ Ensure rsyslog is Installed
- ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Disable X Windows Startup By Setting Default Target
+
+ Verify the UEFI Boot Loader grub.cfg User Ownership
- ocil:ssg-xwindows_runlevel_target_action:testaction:1
+ ocil:ssg-file_owner_efi_grub2_cfg_action:testaction:1
-
- Add nodev Option to /var/log/audit
+
+ Uninstall abrt-plugin-sosreport Package
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-06-27 00:00:00.000000000 +0000
@@ -48,34 +48,35 @@
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -83,14 +84,24 @@
-
+
-
-
+
-
+
+
+
+
+
+
+
+
@@ -103,45 +114,39 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
-
-
-
-
@@ -149,9 +154,9 @@
-
+
-
@@ -163,14 +168,9 @@
-
-
-
-
-
+
-
@@ -5419,22 +5419,6 @@
SRG-OS-000396-VMM-001590
Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc.
- # prelink not installed
-if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
- if grep -q ^PRELINKING /etc/sysconfig/prelink
- then
- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
- else
- printf '\n' >> /etc/sysconfig/prelink
- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
- fi
-
- # Undo previous prelink changes to binaries if prelink is available.
- if test -x /usr/sbin/prelink; then
- /usr/sbin/prelink -ua
- fi
-fi
-
- name: Does prelink file exist
stat:
path: /etc/sysconfig/prelink
@@ -5471,6 +5455,22 @@
- no_reboot_needed
- restrict_strategy
+ # prelink not installed
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-06-27 00:00:00.000000000 +0000
@@ -176,34 +176,35 @@
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -211,24 +212,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -236,29 +237,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -266,15 +267,19 @@
-
+
-
-
-
-
+
+
+
+
+
+
@@ -282,9 +287,9 @@
-
+
-
@@ -296,14 +301,9 @@
-
-
-
-
-
+
-
@@ -5828,15 +5828,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -5968,6 +5959,15 @@
- restrict_strategy
- rpm_verify_hashes
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-06-27 00:00:00.000000000 +0000
@@ -178,34 +178,35 @@
-
+
-
-
-
-
+
+
-
+
-
-
+
-
-
+
-
-
+
-
@@ -213,24 +214,24 @@
-
+
-
-
+
-
-
+
-
-
+
-
@@ -238,29 +239,29 @@
-
+
-
-
+
-
-
+
-
-
+
-
-
+
-
@@ -268,15 +269,19 @@
-
+
-
-
-
-
+
+
+
+
+
+
@@ -284,9 +289,9 @@
-
+
-
@@ -298,14 +303,9 @@
-
-
-
-
-
+
-
@@ -5830,15 +5830,6 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-yum reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -5970,6 +5961,15 @@
- restrict_strategy
- rpm_verify_hashes
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-06-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-06-27 00:00:00.000000000 +0000
@@ -7,1379 +7,1391 @@
2022-06-27T00:00:00
-
- Configure SSSD's Memory Cache to Expire
+
+ Record Successful Access Attempts to Files - creat
- ocil:ssg-sssd_memcache_timeout_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_creat_action:testaction:1
-
- Verify Group Who Owns Backup passwd File
+
+ Ensure PAM Enforces Password Requirements - Minimum Special Characters
- ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1
+ ocil:ssg-accounts_password_pam_ocredit_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lchown
+
+ Add noexec Option to /var/tmp
- ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1
+ ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1
-
- Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
+
+ Restrict usage of ptrace to descendant processes
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1
+ ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1
-
- Set PAM's Password Hashing Algorithm
+
+ Restrict Virtual Console Root Logins
- ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1
+ ocil:ssg-securetty_root_login_console_only_action:testaction:1
-
- Configure SSSD to Expire Offline Credentials
+
+ Ensure All Accounts on the System Have Unique Names
- ocil:ssg-sssd_offline_cred_expiration_action:testaction:1
+ ocil:ssg-account_unique_name_action:testaction:1
-
- Mount Remote Filesystems with nosuid
+
+ Configure auditd to use audispd's syslog plugin
- ocil:ssg-mount_option_nosuid_remote_filesystems_action:testaction:1
+ ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1
-
- Record Successful Access Attempts to Files - openat
+
+ Require Authentication for Emergency Systemd Target
- ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1
+ ocil:ssg-require_emergency_target_auth_action:testaction:1
-
- Disable XDMCP in GDM
+
+ Ensure /var/log/audit Located On Separate Partition
- ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1
+ ocil:ssg-partition_for_var_log_audit_action:testaction:1
-
- Resolve information before writing to audit logs
+
+ Disable SSH Support for .rhosts Files
-