Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91493-7 References:
+ BP28(R58) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 61 groups and 175 rules | Group
@@ -122,18 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -422,7 +422,33 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-83048-9 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r603262_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 57 groups and 151 rules | Group
@@ -122,18 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -398,18 +398,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -440,7 +440,27 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-91492-9 References:
- BP28(R58) | | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91493-7 References:
+ BP28(R58) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 27 groups and 35 rules | | Group
@@ -109,7 +109,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-83013-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -173,7 +173,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-83012-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-12-010110, SV-217112r646686_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -244,18 +244,20 @@
$ sudo zypper install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-91476-2 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-91474-7 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
- CCE-91478-8 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 100 groups and 256 rules | Group
@@ -115,18 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -527,7 +527,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -580,18 +580,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 89 groups and 193 rules | Group
@@ -115,18 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -477,7 +477,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -530,18 +530,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 83 groups and 190 rules | Group
@@ -115,18 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -477,7 +477,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -530,18 +530,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 98 groups and 255 rules | Group
@@ -115,18 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-91483-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-91529-8 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -527,7 +527,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83182-6 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -580,18 +580,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91491-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.1.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- File Permissions and Masks
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 4 groups and 3 rules | | Group
@@ -113,7 +113,11 @@
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
| Rule
Verify User Who Owns passwd File
[ref] | To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
| Rule
Verify Permissions on passwd File
[ref] |
@@ -198,7 +198,12 @@
accounts on the system and associated information, and protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd | | Identifiers and References | Identifiers:
CCE-91452-3 References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.2 | | |
|
Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2022-10-01 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:12
- cpe:/o:suse:linux_enterprise_desktop:12
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 12
Group contains 83 groups and 237 rules | Group
@@ -111,18 +111,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83067-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-12-010500, 1.3.1, SV-217148r603262_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -169,7 +169,66 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-83204-8 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r603262_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -325,7 +325,33 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-83048-9 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r603262_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 61 groups and 169 rules | Group
@@ -122,18 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -398,18 +398,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -440,7 +440,27 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-91184-2 References:
- BP28(R58) | | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91185-9 References:
+ BP28(R58) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 61 groups and 182 rules | Group
@@ -122,18 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -417,7 +417,33 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-91214-7 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 57 groups and 158 rules | Group
@@ -122,18 +122,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -180,7 +180,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -398,18 +398,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -440,7 +440,27 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-91184-2 References:
- BP28(R58) | | |
| Rule
+ Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+ [ref] | The sudo ignore_dot tag, when specified, will ignore the current directory
+in the PATH environment variable.
+This should be enabled by making sure that the ignore_dot tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Ignoring the commands in the user's current directory prevents an attacker from executing commands
+downloaded locally. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot | | Identifiers and References | Identifiers:
+ CCE-91185-9 References:
+ BP28(R58) | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 27 groups and 42 rules | | Group
@@ -109,7 +109,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-83291-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -173,7 +173,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-85663-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SLES-15-010450, SV-234853r622137_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -244,18 +244,20 @@
$ sudo zypper install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-91163-6 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-91165-1 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
- CCE-91166-9 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 109 groups and 275 rules | Group
@@ -115,18 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -522,7 +522,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -575,18 +575,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 97 groups and 212 rules | Group
@@ -115,18 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -472,7 +472,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -525,18 +525,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 91 groups and 209 rules | Group
@@ -115,18 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -472,7 +472,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -525,18 +525,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 107 groups and 274 rules | Group
@@ -115,18 +115,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -279,7 +279,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -522,7 +522,15 @@
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date | | Identifiers and References | Identifiers:
CCE-83288-1 References:
- 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -575,18 +575,26 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-91183-4 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 54 groups and 137 rules | | Group
@@ -429,7 +429,25 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-85776-3 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -502,7 +502,11 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-85795-3 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -602,7 +602,52 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-85777-1 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
+ Require Encryption for Remote Access in GNOME3
+ [ref] | By default, GNOME requires encryption when using Vino for remote access.
+To prevent remote access encryption from being disabled, add or set
+ require-encryption to true in
+ /etc/dconf/db/local.d/00-security-settings. For example:
+ [org/gnome/Vino]
+require-encryption=true
+
+Once the settings have been added, add a lock to
+ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+ /org/gnome/Vino/require-encryption
+After the settings have been set, run dconf update. | | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
+remotely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | | Identifiers and References | Identifiers:
+ CCE-85822-5 References:
+ 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 48 groups and 111 rules | Group
@@ -392,18 +392,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -450,7 +450,18 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-85787-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -556,7 +556,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| | Group
System Cryptographic Policies
Group contains 3 rules | [ref]
@@ -697,7 +697,18 @@
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | Identifiers:
CCE-85791-2 References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -737,7 +737,34 @@
if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-85794-6 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 54 groups and 165 rules | | Group
@@ -127,7 +127,66 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -287,7 +287,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | |
| Rule
Configure AIDE to Verify Access Control Lists (ACLs)
[ref] | By default, the acl option is added to the FIPSR ruleset in AIDE.
@@ -413,7 +413,35 @@
/etc/aide.conf | | Rationale: | ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_verify_acls | | Identifiers and References | Identifiers:
CCE-85623-7 References:
- BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-15-040040, SV-234986r622137_rule | | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Web Server
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 45 groups and 119 rules | | Group
@@ -209,7 +209,10 @@
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | | Identifiers and References | Identifiers:
CCE-83261-8 References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, SLES-15-010010, SV-234802r622137_rule | | |
| | Group
Account and Access Control
Group contains 7 groups and 16 rules | [ref]
@@ -313,7 +313,108 @@
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny | | Identifiers and References | Identifiers:
CCE-85842-3 References:
- BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050 | | |
| Rule
+ Configure the root Account for Failed Password Attempts
+ [ref] | This rule configures the system to lock out the root account after a number of
+incorrect login attempts using pam_faillock.so.
+pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+defined to work as expected. In order to avoid errors when manually editing these files, it is
+recommended to use the appropriate tools, such as authselect or authconfig,
+depending on the OS version. Warning:
+ If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+If the system supports the /etc/security/faillock.conf file, the pam_faillock
+parameters should be defined in faillock.conf file. | | Rationale: | By limiting the number of failed logon attempts, the risk of unauthorized system access via
+user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
+the account. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root | | Identifiers and References | Identifiers:
+ CCE-91171-9 References:
+ BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | Profile InformationCPE Platforms- cpe:/o:suse:linux_enterprise_server:15
- cpe:/o:suse:linux_enterprise_desktop:15
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Base Services
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of SUSE Linux Enterprise 15
Group contains 83 groups and 237 rules | Group
@@ -111,18 +111,26 @@
$ sudo zypper install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-83289-9 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SLES-15-010420, 1.4.1, SV-234851r622137_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -169,7 +169,66 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85610-4 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -329,7 +329,22 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-85671-6 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r622137_rule | | Remediation Shell script ⇲# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -108,7 +108,7 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -151,64 +151,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -216,19 +216,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1686,20 +1686,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1721,6 +1707,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -1738,20 +1738,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1773,6 +1759,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -108,7 +108,7 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -151,64 +151,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -216,19 +216,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1686,20 +1686,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1721,6 +1707,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -1738,20 +1738,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1773,6 +1759,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,22 +7,22 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable Public Key Authentication
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
@@ -31,220 +31,220 @@
ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Disable Kerberos Authentication
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Resolve information before writing to audit logs
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Enable Yama support
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-kernel_config_security_yama_action:testaction:1
-
- Enable auditd Service
+
+ Remove the OpenSSH Client and Server Package
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-package_openssh_removed_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Verify Permissions on shadow File
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Install the OpenSSH Client and Server Package
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-package_openssh_installed_action:testaction:1
-
- Verify Permissions on /var/log Directory
+
+ Do not allow ACPI methods to be inserted/replaced at run time
- ocil:ssg-file_permissions_var_log_action:testaction:1
+ ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1
-
- Kernel panic on oops
+
+ Ensure auditd Collects File Deletion Events by User - unlink
- ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
-
- Disallow Configuration to Bypass Password Requirements for Privilege Escalation
+
+ Verify that Shared Library Files Have Restrictive Permissions
- ocil:ssg-disallow_bypass_password_sudo_action:testaction:1
+ ocil:ssg-file_permissions_library_dirs_action:testaction:1
-
- Verify that All World-Writable Directories Have Sticky Bits Set
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Set Password Minimum Length in login.defs
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1
-
- Verify that System Executables Have Restrictive Permissions
+
+ Verify User Who Owns group File
- ocil:ssg-file_permissions_binary_dirs_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of openSUSE
This guide presents a catalog of security-relevant
configuration settings for openSUSE. It is a rendering of
@@ -43,64 +43,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -108,19 +108,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1578,20 +1578,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1613,6 +1599,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -1630,20 +1630,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -1665,6 +1651,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -120,7 +120,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -163,19 +163,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -183,97 +179,101 @@
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -4665,6 +4665,11 @@
SV-217148r603262_rule
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83067-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -4673,10 +4678,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -122,7 +122,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -165,19 +165,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -185,97 +181,101 @@
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -4667,6 +4667,11 @@
SV-217148r603262_rule
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83067-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -4675,10 +4680,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,106 +7,106 @@
2022-10-01T00:00:00
-
- Configure server restrictions for ntpd
+
+ Disable Postfix Network Listening
- ocil:ssg-ntpd_configure_restrictions_action:testaction:1
+ ocil:ssg-postfix_network_listening_disabled_action:testaction:1
-
- Disable x86 vsyscall emulation
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Enable Public Key Authentication
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Uninstall xinetd Package
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Ensure LDAP client is not installed
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Limit Password Reuse
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1
-
- Verify Owner on cron.daily
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-file_owner_cron_daily_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Verify that local /var/log/messages is not world-readable
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-file_permissions_local_var_log_messages_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Verify ownership of Message of the Day Banner
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-file_owner_etc_motd_action:testaction:1
-
- Set number of Password Hashing Rounds - password-auth
+
+ Disable Kerberos Authentication
- ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
@@ -115,1276 +115,1277 @@
ocil:ssg-file_permissions_sshd_config_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - kmod
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Resolve information before writing to audit logs
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Record Events that Modify User/Group Information - /etc/security/opasswd
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1
-
- Remove the X Windows Package Group
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 12
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -43,19 +43,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -63,97 +59,101 @@
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -4545,6 +4545,11 @@
SV-217148r603262_rule
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83067-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -4553,10 +4558,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -171,19 +171,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -191,107 +187,111 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
+
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -6486,6 +6486,11 @@
SV-234851r622137_rule
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83289-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -130,7 +130,7 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -173,19 +173,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -193,107 +189,111 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
+
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -6488,6 +6488,11 @@
SV-234851r622137_rule
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83289-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,130 +7,130 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
+
+ Disable Postfix Network Listening
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-postfix_network_listening_disabled_action:testaction:1
-
- Enable Public Key Authentication
+
+ Enable the selinuxuser_execmod SELinux Boolean
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Disable Samba
+
+ Ensure All Groups on the System Have Unique Group Names
- ocil:ssg-service_smb_disabled_action:testaction:1
+ ocil:ssg-group_unique_name_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Require Credential Prompting for Remote Access in GNOME3
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Uninstall xinetd Package
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Verify Owner on cron.daily
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-file_owner_cron_daily_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Disable Quagga Service
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-service_zebra_disabled_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Ensure LDAP client is not installed
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Limit Password Reuse
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Ensure SELinux Not Disabled in /etc/default/grub
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-grub2_enable_selinux_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Set number of Password Hashing Rounds - password-auth
+
+ Verify that local /var/log/messages is not world-readable
- ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1
+ ocil:ssg-file_permissions_local_var_log_messages_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Verify ownership of Message of the Day Banner
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-file_owner_etc_motd_action:testaction:1
-
- Configure SSH to use System Crypto Policy
+
+ Disable Kerberos Authentication
- ocil:ssg-configure_ssh_crypto_policy_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Verify that Interactive Boot is Disabled
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-grub2_disable_interactive_boot_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
@@ -139,1414 +139,1403 @@
ocil:ssg-file_permissions_sshd_config_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of SUSE Linux Enterprise 15
This guide presents a catalog of security-relevant
configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -43,19 +43,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -63,107 +59,111 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
+
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -6358,6 +6358,11 @@
SV-234851r622137_rule
The AIDE package must be installed if it is to be available for integrity checking.
CCE-83289-9
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
RPMS.2017/scap-security-guide-debian-0.1.64-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.64-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-debian-0.1.64-0.0.noarch.rpm to scap-security-guide-debian-0.1.64-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-debian
--- old-rpm-tags
+++ new-rpm-tags
@@ -172,4 +172,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html dd604a394be73b680ba5b80ed738386991e9db31c55dabff26ef2155da38b423 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 73d3a80f3b268a9cff8486b68af2db50e98d05cbfba13c06dbd892e80e711840 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html fede671b905e49c33ffd4080aa285224626d5ce9de7c37e7bab0ac85feb202d5 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html fbfab1ff85ed56a682292b9d987e010ccf912a8b54d0597e45008da3faa3dcf6 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 39be3686adfd9bdc4fb2a7598ec4747d623ba86863c3ba72eb172bc834e68231 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 52b4e193e61cf3b809ff7c8e40f3fa01a2313dd2a6c8882e702952155f9bce28 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 12a5828946e5b4f4d9c3e5f654938a3004a9fae29f992ce8cb99696357aeb5dd 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 13fc603639ca9689c25d16e1a50a1bc0283acd7e13768b8e0ed98d9c890943d6 2
@@ -177,5 +177,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 021d8eb50c614dcdf7e90f97d5742540785ecab8f318783806cd5e0d47fe4192 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html b3f736e129f7bfd28daa588f6e3b22662a548c92fc4b38e852ee8f9bece8070c 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 310d5f6b36e5ef19a71a0d233d614fc97ef8ebffca23fb32d03a14d1e00c755d 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 6a244590aec4ca9425174caf3d7de97ce047c245c088adaf0b81f9611f1a001a 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 46161ceef8ce904b26b45d1fb0decc1b28a616e1c422d987c59617659f0b247d 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 27abfe720b93df389da833452e24626809f386b9017398bfd8f879df3f273be5 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 74294fc4b6eaed40d1a575da7a0c0f8b2e7e2c6d70c665d43c68ac10b151ff2d 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html c982cf29023b19ffd57583b9d2df02df2a713f933e91c2df9b8fb6fff543050f 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 0dbc6c57ad9a50751d1885e32075ec90ac5ae1e4bfb14255b65fa5915793a850 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html deb813c8d33c0c47abc0b1c3cb06f4c967043e37615a13d8faa902630afc9896 2
@@ -183,5 +183,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 60b02102ee1189f763457ec2a7011572140e763455a41c2ee812247b11b71acd 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html 14be4359a812047e4bf895f2cbf5d116e05abf97b0bef007e6af78486b3de3a8 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 320669bbc712589b7123fc2b85d641b9f233032d7d57d1fa6fb10ed7e8c81683 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 2e26b6268013bb44e451d1ef34d21603fb630673cf52025cf7b50e901050b54a 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 135695d750d89c841eb1949e16c1a6c5fccdb25178aff2a2832bd0df0ad6db53 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 6e37fe3eba3110e9c855643554e9ac5b6152fad90ca271dec3738d6be5ae6428 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_average.html dee490d4edc63530abeb93472117851814e14de65f2e6b594e5efa2aeddda013 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_high.html 7e8d459b52d32b7ed6b90093bdc2745f5d96977da3a18f57a3aed6e54045aeba 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_minimal.html 2ee7bcfa23c465a0c65f4f1f74dcc258ba6e3e53c49e6da3202c0e067e484490 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 22e31b72bcb8e1a962bd6f803400a0f5b0dac0dc8541c1e87ca996650fdd1533 2
@@ -189 +189 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html 741ac0dfc546ab8a9cdbf868d8b93a6ce4f0ef2f7746fac4f80390142fb4c317 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-standard.html a031a6366213aa96c37328217e9adab0c9cb39d8c37e9a66c6cf9588b6d28370 2
@@ -232,3 +232,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml e80a1f025f7cd3b5fb4e77f78212f1beb76d1dc0a01757534169a1b50336aa80 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml bca6f89c7a5d846ac32db985570d549946164aeb9fdeb4859c3738518f0d5965 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 19f212043b0efb2a7aee821407b74b08854927307fc1be16edb10aed7c3295cb 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml a04908ff3c0f6f9a266daf87167ae96b9a14661b8482eb8be967a3db4fc037bc 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml fce986985a22f370ce9ecf8a7043180a3b2ef7683090d810bf9530b18f8304a9 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 75406549dd7ade392c103dec7430aca5f32731515a83a5ce094599603acacc9c 0
@@ -236 +236 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 577c3ca44c9a67cd2d3ddf14ffbb77a2c0f69549822565d2b5f6b18fb6213c00 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 237b97a10212126b028633b5a0e2ab4678619e28cf4059e97a10f8cdd25ff31d 0
@@ -239,3 +239,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 23a8a924bbf6b22d58369477f84a1c328104e432957aef28d162541c1c2fa763 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml c80a1990e3ff4225f34963cb657b0da41eb0bf6b478592cd6bfe0922d457a92b 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 3680875b05d4daa44ba0d95ada8e87fb93bda656f2d0418385979b3b3e736152 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 4180d287c2b1511018a56151119194cb97655d6e1400f16a235abc6156876f88 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 82b9de8a5823104a7f9d3d399729921dbb87b940f5ec23395210ddb088032775 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 709882c7bc6c9866f4cc81a81d1204fc835bd794d0ff9cbb933e32329be66fa9 0
@@ -243 +243 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 5bbd0ad09cc30aa09bb6b83c7ccf69ac106c7795bf9a981b8fd34c5f5bb29377 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 161dc8c33e5b37a2bbc9d802cbbd2154f08c7b30e4825cd3ab6a5badb735c67d 0
@@ -246,3 +246,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 84c57386e1b33216892bca5deffadfff657cabc351d476695a83686d8e47a9d8 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 3db2f4680db3d2e2d53fc0a362398c4e754d81a5770846a03007b8956aa3a565 0
-/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2a347f6a4c7134572dd8ce8a19311d95cfd8d4ff62e9d1b206ecf5dd5692cf65 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml bf178fd7038c1c510c1521b08bc7828044623841b4fa610225bd8ec46a6da11a 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml e9a2346a6b1e7a4c56887a1bf7e7550e54d5ac4946784dcd6aa140374175d80f 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml fbf5daf8586d5208baad7f92a591d70bbd9f145d698e3e797071b4c8d9b634b0 0
@@ -250 +250 @@
-/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml f9369f1242a6870a70c7ba8a43792a78726196cfca943ccc0f7e72efabfd032d 0
+/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml cb1793cf6e10c5abb1308f08359fe8951fbee8b4bcaf398006535fae70189427 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 2022-10-01 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 20 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Group contains 2 rules | [ref]
@@ -483,17 +483,17 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 23 groups and 50 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,17 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 11 groups and 24 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -237,17 +237,17 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 2022-10-01 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 22 groups and 49 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,17 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 10
Group contains 19 groups and 44 rules | | Group
@@ -230,17 +230,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| | Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Group contains 2 rules | [ref]
@@ -483,17 +483,17 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 23 groups and 50 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,17 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 11 groups and 24 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -237,17 +237,17 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 2022-10-01 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 22 groups and 49 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,17 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debian:debian_linux:11
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 11
Group contains 19 groups and 44 rules | | Group
@@ -230,17 +230,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| | Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 3 groups and 8 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
Group contains 2 rules | [ref]
@@ -483,17 +483,17 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 23 groups and 50 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,17 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 11 groups and 24 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 1 group and 4 rules | [ref]
@@ -237,17 +237,17 @@
$ apt-get install syslog-ng-core | | Rationale: | The syslog-ng-core package provides the syslog-ng daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_syslogng_installed | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1 | | | | Rationale: | The syslog-ng service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_syslogng_enabled | | Identifiers and References | References:
- BP28(R46), BP28(R5), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | | | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
/usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian9-guide-anssi_np_nt28_restrictive.html 2022-10-01 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 22 groups and 49 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,17 +354,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | Profile InformationCPE Platforms- cpe:/o:debianproject:debian:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Debian 9
Group contains 19 groups and 44 rules | | Group
@@ -230,17 +230,17 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | | | Rationale: | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227 | | | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -143,49 +143,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -193,39 +193,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2046,11 +2051,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3111,20 +3111,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3146,6 +3132,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3163,20 +3163,6 @@
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -143,49 +143,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -193,39 +193,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2046,11 +2051,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3111,20 +3111,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3146,6 +3132,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3163,20 +3163,6 @@
/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,22 +7,22 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable Public Key Authentication
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
@@ -31,334 +31,334 @@
ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Disable Kerberos Authentication
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Resolve information before writing to audit logs
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Enable Yama support
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-kernel_config_security_yama_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Verify Permissions on shadow File
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
- Enable auditd Service
+
+ Do not allow ACPI methods to be inserted/replaced at run time
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Ensure auditd Collects File Deletion Events by User - unlink
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Verify that Shared Library Files Have Restrictive Permissions
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-file_permissions_library_dirs_action:testaction:1
-
- Verify Permissions on /var/log Directory
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_permissions_var_log_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Disable snmpd Service
+
+ Set Password Minimum Length in login.defs
- ocil:ssg-service_snmpd_disabled_action:testaction:1
+ ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1
-
- Kernel panic on oops
+
+ Verify User Who Owns group File
- ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Disallow Configuration to Bypass Password Requirements for Privilege Escalation
+
+ Record Unsuccessful Access Attempts to Files - truncate
- ocil:ssg-disallow_bypass_password_sudo_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1
-
- Verify that All World-Writable Directories Have Sticky Bits Set
+
+ Enable different security models
- ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 10
This guide presents a catalog of security-relevant
configuration settings for Debian 10. It is a rendering of
@@ -43,49 +43,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -93,39 +93,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1938,6 +1938,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -1946,11 +1951,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3011,20 +3011,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3046,6 +3032,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3063,20 +3063,6 @@
BP28(R58)
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -143,49 +143,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -193,39 +193,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2046,11 +2051,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3111,20 +3111,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3146,6 +3132,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3163,20 +3163,6 @@
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -143,49 +143,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -193,39 +193,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2046,11 +2051,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3111,20 +3111,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3146,6 +3132,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3163,20 +3163,6 @@
/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,22 +7,22 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable Public Key Authentication
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
@@ -31,334 +31,334 @@
ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Disable Kerberos Authentication
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Resolve information before writing to audit logs
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Enable Yama support
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-kernel_config_security_yama_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Verify Permissions on shadow File
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
- Enable auditd Service
+
+ Do not allow ACPI methods to be inserted/replaced at run time
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Ensure auditd Collects File Deletion Events by User - unlink
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Verify that Shared Library Files Have Restrictive Permissions
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-file_permissions_library_dirs_action:testaction:1
-
- Verify Permissions on /var/log Directory
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_permissions_var_log_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Disable snmpd Service
+
+ Set Password Minimum Length in login.defs
- ocil:ssg-service_snmpd_disabled_action:testaction:1
+ ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1
-
- Kernel panic on oops
+
+ Verify User Who Owns group File
- ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Disallow Configuration to Bypass Password Requirements for Privilege Escalation
+
+ Record Unsuccessful Access Attempts to Files - truncate
- ocil:ssg-disallow_bypass_password_sudo_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1
-
- Verify that All World-Writable Directories Have Sticky Bits Set
+
+ Enable different security models
- ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 11
This guide presents a catalog of security-relevant
configuration settings for Debian 11. It is a rendering of
@@ -43,49 +43,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -93,39 +93,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1938,6 +1938,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -1946,11 +1951,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3011,20 +3011,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3046,6 +3032,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3063,20 +3063,6 @@
BP28(R58)
/usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 9
This guide presents a catalog of security-relevant
configuration settings for Debian 9. It is a rendering of
@@ -143,49 +143,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -193,39 +193,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2046,11 +2051,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3111,20 +3111,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3146,6 +3132,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3163,20 +3163,6 @@
/usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -100,7 +100,7 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 9
This guide presents a catalog of security-relevant
configuration settings for Debian 9. It is a rendering of
@@ -143,49 +143,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -193,39 +193,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2038,6 +2038,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2046,11 +2051,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3111,20 +3111,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3146,6 +3132,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3163,20 +3163,6 @@
/usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,22 +7,22 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable Public Key Authentication
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
@@ -31,334 +31,334 @@
ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Disable Kerberos Authentication
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Resolve information before writing to audit logs
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Enable Yama support
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-kernel_config_security_yama_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Verify Permissions on shadow File
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
- Enable auditd Service
+
+ Do not allow ACPI methods to be inserted/replaced at run time
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Ensure auditd Collects File Deletion Events by User - unlink
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Verify that Shared Library Files Have Restrictive Permissions
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-file_permissions_library_dirs_action:testaction:1
-
- Verify Permissions on /var/log Directory
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_permissions_var_log_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Disable snmpd Service
+
+ Set Password Minimum Length in login.defs
- ocil:ssg-service_snmpd_disabled_action:testaction:1
+ ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1
-
- Kernel panic on oops
+
+ Verify User Who Owns group File
- ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- Disallow Configuration to Bypass Password Requirements for Privilege Escalation
+
+ Record Unsuccessful Access Attempts to Files - truncate
- ocil:ssg-disallow_bypass_password_sudo_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1
-
- Verify that All World-Writable Directories Have Sticky Bits Set
+
+ Enable different security models
- ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian9-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Debian 9
This guide presents a catalog of security-relevant
configuration settings for Debian 9. It is a rendering of
@@ -43,49 +43,49 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -93,39 +93,39 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1938,6 +1938,11 @@
SRG-OS-000363-GPOS-00150
SRG-OS-000445-GPOS-00199
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -1946,11 +1951,6 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
-
- name: Ensure aide is installed
package:
name: aide
@@ -3011,20 +3011,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3046,6 +3032,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3063,20 +3063,6 @@
BP28(R58)
RPMS.2017/scap-security-guide-redhat-0.1.64-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.64-0.0.noarch.rpm differ: byte 226, line 1
Comparing scap-security-guide-redhat-0.1.64-0.0.noarch.rpm to scap-security-guide-redhat-0.1.64-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-redhat
--- old-rpm-tags
+++ new-rpm-tags
@@ -733,14 +733,14 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 29f5a141d19ec04ea765d6f76535a63aa23bb14c25078cba91a51481b468e70f 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html c2c3af5821cbc44690ae85a1ae4c61b01f5cb1afeab5b320da8962aee22f47c9 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html f371af8177e2a1713ac391421b42a5926b2b18cfa4f88a02b8ca7e6ad4fc0408 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html a29e7659e7eda3ec7766f64cb30cddee92af067d711a3a1129dd72f642d1a8f9 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html 1004fb32b6f359891e0d8387d4cceda5c34095a46e447b283cfc11f62184fa2e 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 10a2007850a3b63c1571c2f949aa17f9071d4cb16b4046c80e41946ae8d8df15 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 43f7825fdcc740d29e2865aef7b2ddf462722e11b56ae418677f95bed1ef5fe2 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html de9391d7d4ae565169c01cbaba17a91fe157692b1703be2b24052bbb2046f17f 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html 2854c7e1dfb4ed52ee25ec8455b23abc94be1e95feb0d630728b651f35df06f8 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html b7f77b08df0510ed433d3ebd026b0ef3027a52820566c379f72c33ce8b9f8e22 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html b860afaae60ccff476bd5e7c9655025a4d0a9d6c0ce6940527604f2f87f84a2b 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 9e83169dc77a91bbeeaf1f623dc8bb29b32095cde7c0d31d9772d01e677285d6 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html 5d1dc6ba73d9e744d0968f85e9a3ff0d9a9334bd444822a2799c5edd65a6b395 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 4d64f7a24ca379d9ffad40540d2086150c048ea2eff9764dd9ec667df2352227 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 58a5f1dd5552e12d447954e43e963213a0d167856ba3ff350847621920536fe5 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 450203db8687852d158a7040d4f27ae554bb80e7428925fba4b5233cbdb2dd56 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 7d1e0fee34377e4617318124c77f542af5618d8f7216e83568e6cb741f5b9004 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html 02d6cc28d39e312161839c8e90ce8adf3e0def7e3112aa00927cf2ad169a360e 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html dd07b1d43d572f2dfd43dd42f1e17a477b72cf7f7b5fc88db66754fcef8d0bad 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html d5e85d61e742aa623f84f0703aecd0f06ad870ec3381fc44df5200c7cd6e1cdb 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 10624576621fd64a570468503892073046b4496f5529e359607c56d86bc75e05 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html 96ab755cc66087283515dca281e4fab0a851cb4911db7b816d68e97089d7c3f4 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html 853d4039864dbac5000b310cb483b38fcecb44caa66f20fa2ad216ef1e1a0a41 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html 448e65fef38930b69b22da3203a7c6ca36a07f1a0e4ef9ec7b3e6df3601cc87a 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html a757bf3d3af5dd29a9a827475b314912e490eaff13e6eab808f11c0079164faf 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 9562422e91a29a0f5d527123f80c4a4b0b96d22e5516a5f8758ef353e7c9d36c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html f5f027d3407f90ac9af58b231f2f4d6f6ac42e14bbb799ba7be7b2b4d78d6e22 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html d3310a474b58b9407adc207e1f0ef942ab82a0233f5afe430a7a03dded3d5787 2
@@ -748,18 +748,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html 1b2c22f96bca97602b55b744a6590cc53942eddece21729c7d7c23371058cc58 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html bcee0557ef629bd4a6f75fcaf374b45addc3b68dcddfeb2ed89753f7cd357503 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html a6cd207fd666b7d73609fcba26b6fd5d0bd980dc69c41a0a66862bc10019d1dd 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html 32e2bb62eb8f6436bc1c3cad2a5cfa16e182fc9e8f62f8aa50b06aaf4342f6a3 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html b3d339185e49b989ff32d597e20bff3d899b7e4230bc95b2129b4fcd5dd60ab6 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html cd05d53f74385743724c518047d126433130a562b97b76569e1642c401e1886c 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 95b9eb45a376f609c733d36324ea26e81c09349b5e51e890d75de7e531cc60ca 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 8726471775b69f67fd4b2ab9d1dadea711561e9839bc8efebb990dbb03a4007f 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html ce5e463c3f97ab10511202fa59fee709a76f5ccaa8312744c5472dec2813c37e 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html f23ba18fba1ee93bfb681b9e1079f63a6d92bfbbd28527508a5dc85c1c73f9fe 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 1b467bf9594a0f420c3d0c4388b06ec926aa7a8711c9530d061222902f835f0b 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 89b5974d70c1bdba343d7f8ca17b5ec9ce52de19bb7738ae16deba7206b39912 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 30a5d60cfa1359d6e2674ace2f7155ac065cac89a2e73efb151e3c74247b7fa2 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 25230ab0dfbb29d9500ee5cbc17ab004e975595ca93fbab25f0d57f09966d168 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html e95ff75b94e649816bb59fb0d630c6c64ed4b697587cbb907eccb02c4dd1cf33 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html bf137ae0b857a107676d82296b8c6da9e0ec74df6a6c95e7839ed0655e3ecb91 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 6c905879bcd9a7ac9bee87efc074098bb1b6fc8abba99822caed6aff353414a5 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html ddec46d93747a91347bf49b8501d676f113ff6ff780d454009a22f1322faf402 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html 16b53b3cb8be23b07e718e57bac9cdecf6795a73a55c8c1193f6848a0b252d97 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 8694261db311f7b67d8fc111008a8fb323ddb5a78f5ff28053fcf15c2054dff2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 85a5a183cf47caa1e03bd6902060e91805cf36368c93525bd2d76a869913ab77 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html daa3aa1387fd331d6604b03eae2d682331f78793e0b30425a54b8f597e2f2853 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 63bf4abb5f07dc633aba1416ab654fd3436778423d209ca0b74f86d5a5cc4b79 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html 0f6b4745c6b65762f58b2027476fcd2ce2dfd904a7923c3faa376dfdc2fd55b4 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 0a033ebde0b3fc41f45d779e156511b37e499e22ef76e0b2da83399cb1426c99 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 4f958c5a3d917f3a6d5a8a04633666556ad34755c032b791a89e2856f8155568 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html f01752ad90f415c746f4c62d2a2eea2ad3c87c7178610486952a7f2d38c23d24 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html 34d3533ac098e15800d861cfe376b8b374ade07f3d0e6517b6f471450b9e64e3 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 03a04061e2ba179b6a97ffea89d9c74701ac304f7c57eeea3f40840696803ec3 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 107ddbc41cbe54815c22659fcd5536463cf9959e450569bd7e0dbb279df66396 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 376536d055a4e5ac382525acc5d0b433cf20adb607e0a35fab2727a8bb2a2695 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html eb3ee26e7a19b6dd68dd966e91aabf5221970abcfdb60c3c59c22c9764d5341e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 3b13557e6a5fdb6d1b920a29dcd1e583750749c60646186e6e2b114598e7249c 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html 88a14c79e4934142f6dfd9d76aaf945695adece5b532ad588e2c3b49d2c96fa1 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 9f28772ce368d6fae0105b39731e4a1bdf30ef419918c0f7d57633acf6b38459 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html fc0673674c25e9e97d90894e3502136d7a4321de4a41bbbe92d6fb68a5fed5ee 2
@@ -767,5 +767,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html db735d826cff05cef0ce244ebf4681a6519d505c9fff1562bfba049acb9808c3 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 9e80cc6054a2dc2d4e00300edfa47796eb6485001c90333fff668b8d8c8b8aa1 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 0441b6f9ad72b69957d5e970c1f9da2e5776c4f43260ec8c10496732fa90ae96 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html b2663289f401e6b8d5341e2e02ef3a7886926f979254bc06f4b820732da69169 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html cc085aa26fd3238c6956a1d270afa1d7cd8a32a613570982e53e41ca68571708 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html d158f5fbbb3602069c97373df7fb60f4849ee281e403dd5cd701d8eb9b19432b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 6b7c9ddb9a00f64f30d554a80eaa1d144c1fedafeaee748b5da1790d06d03187 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 61466f42de8e78b9deb774e392663fc5916ecdba89273aad09304f02cd745b32 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html 8fa133bc3ad15dbbf05139333a2fac31fc7953467c06706a16f72a213a328533 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 69abbc89061b6760f45a0adabec9583f3c80c793d78c698f2ede19c992edae79 2
@@ -773,11 +773,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html d3a749920887abd30c513d844bee5924c01a70f08be4c1910bc004132cdc5f39 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 695f9e74e3e99a8c0bdfe58d03958eca42cc1f10803034b4000e2e8c67020fe2 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html b15a4fc54c74bffd084f10ce160b68cb57529dff34763093e7d48e69b6b8ebd8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html f54251351fcf38cf22489ae6f036a691d2850b527a7476893854eebd1217f03d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 38524fc034c32701de8825a56e141eb165c7f69b9daf2d1e060752294fffb0aa 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html b8c097ae75b26988e8d8fedcc5899636165b6f18ded9c434257aadbdb10d0a73 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 62bdf66ffb8378d88e295f58c295efcf51c62fd91f6582ebf562bc99e5df582a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html ed1e2153755b2634c71714111ada7d3b455d1b0ec34357caf990c340c1f052b0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html a91d46fc548da3c361631a66ce3343da6c246fc3c4cccf0e04c5823f06600743 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 13141a54f6615f02a75c4282d4c0d484ed60ba9227cf8329d3c036221e06fa39 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html ace7430313c239a4d8815d8faeecc5ab431e6a6c5996b7d9a65a24ce1365744d 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 65ee0b8d1ed72b051105afc718a998ee1eeb7cc6999beb3c4e43d93690a8bd91 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html f370e59e5dd6a004b3564193360802c703860fbaec9b53ea3aaac7d1bf9a6218 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 00e327463b85705dd769bda3e30a4832e248dac4737611a8420585f4f0aabe6a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 050926a45e37a43466bf259e5c3bfbf6ae173f485ae182c4a48344c9a4c8ad30 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html e7cc48477061a0c993895377dc46f15f2826069807defa07c1992a015a776f08 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 21faf4846a2ddbf0b58f6a09d9e3378d8c71df734863c1ae68ed562f71d7ed39 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 2a613420f93aace76ad1be307a60a04da9be008c483bb910f1dc32e618febc67 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 70d41c9bcafb19c29e7a9a299ab6a015cca5abc0179d1369463d81aed355a957 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 18c512ec6e4b076ba62f31f0bcab7a114c9a697f1192e2056c88f79737b30e2f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 6c430ead89ab21197e86fff31171c179e67c0c3571997124a00f9a55cb352e9d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html ea05a0d870cb60bcc0c00fd1ae554bcf3deed003dc96ec9e2f0c99166cbd8bdc 2
@@ -785,15 +785,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 89da3ff68374680ac4c461e2f97ccfc6be78f1a1305c6469f1ddbe7c6791dc48 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 147a924d2250f0408939a2f36b0cca798d4a52f12be64a1ec9ca62840451d498 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 76445800e76b03bc1ee9d9fe526ed14f3deae443cf20c4efd0f3948f503c2570 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html ce28530c47f75d6406f3294b2052d81023fefd32d1b7e4641093aaf93f22eafb 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 00e6aef67813530532cebe243193b774b97016257c83afa2823a0a6a70cc68e2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 25e9eff9a97c74934f7070c0d8f16cf701047b52e6b2fb6d15aeac137c4e542c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html d1d119def08f4fbca9d3fc65317c65c586e3eb92234818e6d52d123a11456f75 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 2bb07ca3017f3f6455c955e3e080ac51f14a01e1bf2ea5c197ed3843c0e3ba7c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 22e92b28c130f4da472ca2033d5e4f0b21dda3df376b7e7ed2360eba6c112322 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 7543cfcdc771c717941c16526c1a75969a8b6d2661d412f5f8d393f571f80745 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 30a7aa56f8b0fda79b4050435f8f66c9b4658a70d0ed8700ca880da5d1246ea4 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 99592b8359c43689b73c8371ed47de475fde23a6066f7f84c6beb773d57f58fc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 2c31a597d88a7161b10de5d79f3e8fa1b669f449b56588a4876d4883a8eed372 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html e601e3dd73a25980c00359d59c8925da810a36d2c1bd3e1a1929f6802156325a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 3e623b0dbc4514c5ab627bc557e8f3322481f42fcfd65718fbccd172e4e72e42 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 8b9ec03382e2728f81591a29712c47e8f03122690ac2d6302d07dda7c094f865 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 5d4255829ee02d5b9ed26cd45bf93d6d96d5278d25bc31bbb3f801d03bc90789 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 3ba418db0d3c0639a09992911b022e181fa66f3d273e7edfebbd805742fc1312 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html fc180d2c03f5e4c528fe49dc94148779553b8c60d2db3ce6700d13b069b8408d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 9f3b161a25a6930cd02a0fe3130b4e572db68074866be006e78ec386101aae8b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 6a990088d890c41f061a0d5109573a09a414ac2e34a39294854a7c238445e179 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 0a0ebc7d976f6cd1e37d08a941d56116f1d74ba73c34e156ae9d5777ee30ba7a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html bb0afcf6e1d393b3fec0898c5fe036039116e744f7d7e828678277ddc397e90e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html fc0c1350cf64bd64ad57d7dcc657ac060c256474aeb815da698d670f61bd9d0b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html a6ebb3b569d4d1b40919a0937d5f5b85c44f396908cf5f8dcb41ace54c95a425 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 3f43cae13cef8179355a81ec0b3552bd03bcd9d36de2a3d13bf72e3d2d91e639 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 45bfa9044e0359cde63f7a26a3cab327523b78c63e54b725d2f48172eba563f2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 4ae9d530d5868cb215f82226d55d1c0b839e1334947b83d3c04461ce8181e0e4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 07a03a8f670a6da508693be8bacd2dab8463f50d4b3a3ffac5bdfdbf05bbcb68 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 47467609c94418534a01095dc58d19034c7c027cec6aed16fac15844ee6665dc 2
@@ -801,11 +801,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html f53d6e1dc6abd2c6a37dd41467f5f5e5ee128bb47db81001beb51df88b37dfd2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html f0e8ef313e17e07ace044ac43274a0fb16b24617aa9b725441f8e69e0a7df52b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 0c689addc5cd5cfbfe163daa7135e9026fac6385d57f8b18e670f7495f2ac266 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html a65b0a2ddae99191946a5e237a256c86ba9b6a17e025b33017a111f11aa99514 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html b9377eaa3097848a40380e32d2a1b4925bde6fef2b9fad821dbf44761a7bb9d9 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html 3e2c3d3c4c1effcfe9c8d1310aa7d3d8932190964491ca48633f78e87824a52e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html 5fbe0423acfe4bccb236a6d6a64981d79f7ef2293a426e52f61f728b07727ae2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html d63892b76b812014f6365efd2989fd927f46f4a03862837f65f094a48e00fde0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html 5ca0c768dc826716a74fed456d3d79ea941dfb12f542c4d0fd3e5b27c3c242f2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html d6f8fed79ee7e14283285c892e4ecd5f9918218d679ed03401367e5552825019 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html 22fee4b0c0e274ce2a8afe8cc618cfb24f9fa91ffc276b6693cc172cce661fa5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 4411f296f54f3e20240caf4e7fef294cd1a3c4a8e3ea72654738b7dfc464f7ec 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 038bb48332e3b05e86fd5e3cecf71ae405957bb145e1baf22b27cce4ea9086fa 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 917b450f064380f23b576aeb577a5ce1943e43cbcb54bb6ecdf29f0bae006ce5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 1d35355a06134371dc940495e65dbad441005bdd8fe59b967a9f96e839ede25f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html 479c8c30d4e5f3b7d17e5fb7fd8550c72fdab1a552bae8c61f7f32250e310e0e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html 4c7e328786ac22b28796394e5f1173253844be988f485580b23bd8e1f9bd216b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html ec3cc8e479e706dc7919f115be0729aa31e96c7e64999a26b881284d23c0881a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html dccbb9eece86e9f3907ec02231efedeb7860c8e61167984c823fc17d14e2be6e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html 9132559d75c021107a12f19a806ab7a7743161c56ea5b4800f374c78b6933685 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 474363d46d7f319c39d3c9ab3c19fd7ece08cb3b78875b482dfc0c97f6abb7a9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html b14e6721450bca2b5c805631113e30626570aa530a14d9ea090c2a499147ba4c 2
@@ -813,10 +813,10 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html 9e029b536c26cd4c348ccb9bb25aa317602f2ab9bf78c3198648ba1825296de0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 89a206253714c5088be4c2e4429b779fd346235371b89c828408da77db86dc6f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 5f4fdd1b203dfb15b6fd92d1c7afd8553303862d5e3c0dfc42a24b7f55e1631c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html 7a363e2a7f8ac9c78abf9234be42e8891e37f759ff062ce0563cc67407d7303c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 330de75669459149f5151dd5346101314e899e30c130011c39cdc63b7de4b507 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 59eb40bc73e7bc95be53d8329515469e350707e04a3f09e7db9ffdff3ff68169 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html a0926064bd7d82cb7c548056b7b10cfa66dbe86be87c2214145ca50955ca0b57 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 222329739d7357f466e923f190a965f2abba63077516852709a8be97b2dca96f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html ec322c9f032ca85d5c4c19c0286f4c7b8b06be27e3989dd70d59ffa3503c3b0e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 4a2ac702657098c71f292ad04f3a34a7b23e9ab48f74c83d9545ed86871f2acf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html c99971715c4e2d220de6f855214a4b0031688192c9758cb4d38bed1d6a517d9d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html c1bc8dc2fbda558bcf6666e27a5b195bd15c57665684e847eaaf928b8e5e548a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 4daf1cdbea7afc77e43326967d36aab670d6f899c721eca2f9344a9b7b05576f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html 6c7c0486b558edad51dcbe73a8a9e7d2c1d59b688620df521a48bf912eb31b4c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 662b9165d52f5d34ae14108a0e5370e6e9cfaf406c1613fafbf513c2e5e2a398 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 9d1288d5ce7fa5e871719691d1c38c174eae69d7d302960e17e0abfcada09af7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 8d44b154c4c767f72185ddf6972a23731036e7c5dd4a87f68dc15d35eed56ce7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html d02633aa69880e9aab9797bd7b6e3e74f95dff135de42c5c47c91245839b33ec 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 671298a14999d105984781fa7e54b2a35fe07dfba13907df2225b235369b4128 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html ba67dc1153506d00334544ad43096b2a6c754225813af5aa040731180455d69c 2
@@ -824,15 +824,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html b08e1e88d5edba3a976050852aadc36077cee46707a62d40dc71a33959e95b5a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 0648bf31bba962a4f3278a560ea190d3a6ed326abfe0a96753e07997648ad95b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 9af3acde50d231386a069ee30b087e66d448dff2759a4cc979a6ddbd65d464ff 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html f1c6227d3c239e55d407ca50d0825df36c54303e35233a798d9ce6b95c03f9fa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 37a7b3ef6d3ce50cc977c4353f30b8a9955aadfa2139a9f851c1abce5fce924d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 2fcc6843d88a1819f12574f9a7cd0038399405fa4a93ee8a19e828d860f231f0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html f2bc880eaf56100d558abd769cf84de96784decc29b8a34d4602ff499aedcbe7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html b2d4d5c7245c7c3835eb771b1f597d1a10c8777a28f7f62e2370c7752d9dc01a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html c41f0e20d4bef9967f48a4df2e925ae36d7bed8983e8fa9879076191060cdccc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html abeb4714ae9dc24130b5fd0153c98228ffbac403263969c781ad2bd968955691 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 7527263b207132f81ff4ebe3a3dced52579f586a60ffca94638ba273a0aa7075 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 7da689aa266645f880dc3f85fbecfd28b47b4f6e27717cdd1e6b88e33998e50b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 70a807e6bdc98176c49034bd8dc1644209744c81a5c88f6dccb7d44149961d02 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 80edc5197d7975ad58edecb32ccd39f2d1827db09b80139b1d210576080fb34b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 6dc91dda48b7f1853170e33a72db601f760affe1c64c5bd35d3616b0a71b9ec7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 37d7ee4e571d1fc4b9728029b91246f19ca49442e48b8341911e94a8c082ada6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html b918d241ad89c9b081ddd118daa33bd198776bdaf0199bf8a7b11a4df91efc9b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 154cfd37f9eece9f58b20e11a53742a1d0a43bce3507752de1f6c40e68723f06 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 3e1ab5ac11f379aef3cb518cc4fdaf37898b50b3eb90635256464c1ac62e655d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 32043370e0bc3756f3cf400c8d646d385343e55ea06c2a4138bf229f2a13a0a2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html ef938800d4c9ab20d1d9b4e46a0de9228f6789d4fb18ab30f35cd41306af778e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 6f950bf521d44e8451662e37a6aa597ca5ed53acb8784f986198b65105303bda 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html c0cf8dd207d2dd9b4aa0b2cb60a4b9cdcdd2989ac8e221a560ca42f05f7ba933 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html f99b5b9201408fd9f9a8212752ec48e5905ebf7976cd2167751c33414ea03c7c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 63e7ffdb1a72ccc5a3adb05956f87693dd1ea1cdb78837bea41c5ab94ad1f445 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html c4fdefc853b74b56a10cb89abb8f963db2dfa45dfd3f831bdd4ca6e76f9ecef0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html c1e9fe4505d32cfc357ce02dc44d8664feafa146448cf2a554ece9ee61e6f829 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 363ccd51ea39245c53eb88a860b885928d8d4bcae699d3dd9d5ff55464e366ab 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html d832ddb758986cb872f1b51dd1754cb05d68b7496e3cc5df6d67be577fbc508d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 6123d0df5481c1e1b3e7c7f2f3e936f1fa755d3c75aff7e4da0148869f8adf08 2
@@ -840,21 +840,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html c45914962ed96fb97b4389ab1afd33e112a2669492bd0045d7cbe489a1d1167d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 92b71cdd86df19095407e268a832953dec6ca6ad832addcc5ad47957c0ddb31a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 8438d652070b0b32ba03fa9b3a1da947d6fd39e3d6af997accdc020e7fd80cc7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 7fb84d65eaf59ca59af5f65f54ec788c3f986e26b9bc0f1ce53bc0cba683b1b2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html c4747632eb9bd513940e307f0c5c3f0612a5a90c37a7d8f22de8063111cb6877 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 53d5c5957ffb809644f944add0a00f31956b77030462f777ece0e4e43d066923 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html cc143689aea487736e7b40a1ba4cfe320ac689118628e8919cd7b3d7ffc2552e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 9b0b6c61beae45060fdb2af9d6330833b9fb1cc8aead7937e35d6fe2e790df7d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 19b9ee86359a11ebc8aa12f99de34fa6fbe04465f86b2e0385367aefcef9fef4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 5c03df4777e916fa750366445cc99f4d7aed3a1bc8bbcbabc9b80c59fa525ecf 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html d9f791990214810d3902cbafccc3aec3bdd437222405c1b85496dbd367f5f454 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 362fff75620d3663738ee3728fc0b896b166871f18a0537183d21c877390e811 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 9de3a5d55bae9844cbb0f58298e4e79ef749f8899f078b55055a44cbf4f37b0a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 6cc496b11f999e8745e8e094ecd70a267085e56078ae8ce51b9b0be70a256bdf 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html efa6636ee009f3034fb0cfa16688454249e041c8652a9148ef5a5f5855d0dd75 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 64459bdbadb8ed970e10c67e4cb941671563708dba832d2ad0a6b02d356dc81c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 466b55d04d0c15738f6e20c33aec931122c8fb9a55e91d031b9e231a0ebea972 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 8d33bcf421184d40b19200801cc4af4470174cd2265a5fc0d97f6dacd09f9d32 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html da58b1773fb508de5624a2fd4af0241e65a178d8f815825da8e418f608f4bb4a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 63002d63f303d4b098a23535177b42d7d80b65d5ab1078a5fbb66e9c3e94a82c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html e0724adc70464498cd68b04b1c5102bc5341b67ae7d28cecef1cdd69873ae2f5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 62958711019c996abf7257d29fefcd77d0fdf4a02c542357360730984197480c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html d5dbb4900d43e88ca73be7a24b183bb40685ed3b66ce297394ae30369f25905b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2d5fbefc6f14f198fa097817469eb06256278408a031472afe9f32ab40fe19e8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 1d2cd0f89452bacbff4a4589e818366bb6c1cde0d0a1e5d3042171d0e1700e3b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 64bb40be129296f6d8bc25f1934de71148098c43c7a9845d0f17abf0156e7d11 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html d6c6af63a694a963b5a481c7db5d1ebe2cd03fde5c4afb20e7424c1c44563a96 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 2fb85e1630242af8ae72b1671ba35d5737dc6516b29e1ed9c5595cfef7432546 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 14fadc31ea90573a482cf0cd25763601032785c49e9e7f01b81141577205b766 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html 412f64e6bba24ad1b985fc4688c8508a3e370adc50527d5f04dd2fc8bc5b404a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 7d94a2ad3bd7fee0e0c6fe9a6160f8480b441b5406f82c8f99fc7c03a783bc42 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html bcd01648536a57416e3e1350f3a25a90a555792e698f20ac0c1c5670af9b0f9d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 8e74649eb93957a48f77029f1ecc4e5812bec192ea4001081b294b0ded3d9ad1 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 1a9ad60c7be0404712252b42e7c8e744e80134c2a8335fab53b99f9b0b365b53 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 354566e686ea985a5b153548466fb8d2c3502a002254952fbb0a34a8f9d7c12b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 25523c34471e274274b4acece795eb5d097d90fa10d90ab8023b0b43abc75ebe 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 3733c17c567d610ffcfd60bc14b734f76393bd905d0755849b1c9078ce4d6fb4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 6f8c2ea312c434499844c4295a001419fc9e40606a41c17152fa603ec4f0fcb2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html afd39e337f99d65765717cba0efd53902f463b5d3afddded59f64913267a7be9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html f1056f34e14117f9597eba4e30e59bba9d59d59fae7969a1876c74e581738f2d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 2cb5eb4623a2ebee10119821f40dfd2c39103999bd3a5854d616594fdff00315 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html c12eae1cb2014ab131b1e72235cd24089e69f224812ad54d8585150a6b95364f 2
@@ -862,18 +862,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 72b7333ebd920c8d192f87d5f5b93460b67f8b639aabfa86cebc038c058fbf16 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 1dc67a5e6dd5f9e0848559694fae82f87e77e3bc51ec9a10545948e51d2da2ec 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html c0979943068a792b98d854192cdbf64e06a5f6b24e967be7473d082ef8f109dd 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html a5915fc7197de1b02735ecdbc58738ee4cc564295eb23c2211ca077e7e764ab2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 93a3aceaad6ca6c9bf94597c81da2547b6e0b710a226ee260d56f9dbc1df6afb 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html e34e003cbafb276472efbba9b934b60491660888f1950e0ec443705520a6f82c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 17c356dd2f78850cade26f0a679f5ac701855073e95da2528c58f44d0ebf5086 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 52fd7b66b790210a6a50468ea89451ddf3ff591b0f35455e2e02d0bd639a4190 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html d149ea034709b4e99f8c45c72f8f377402f5391d79d5f393a6a324b657b4a3d7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 94c0b309d5a35f7ab0defebfe8e8853a88dbe7b85abeef4ca3a4116c32f0d143 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 6d12178a38254aba1d0953a80e05fbd4077a58d8ebbd7a402a2c80bd4abbd9ac 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html bf6ff7b098ec44724f17a87e7b76c1fbe5391eff65dbf310685e1004331f086d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html e7aedb0ae272e76126468e383027126b75b0c4b9cba72b6972616507951941c0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 1da7874401b013942527673ef60a34ea8d75a352c121d3c84172a001b0f5483b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html b22f8b6cc1fa382f12bec9151cc561e861c830c977213e7ad15e71bdba302d69 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html a7933cbbbaacabecb6ba346c6dc0e5440201f835537e5a8fa6002464a2deb5fa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 103dd272241f75b0a6b2427eba676a445d5d390a52c8245e6c4314e6067c8d7c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html fe6631f11198c01d2d314eb6731536117f02f1dfb0534a7e4e9af887bbcdeb98 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 7bde6e3922c6806bbff5f2924c36024b72dbc9498b24da964625d5f0014762c9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 015b3ae263320026edb1a95c6c795dc49b0e7dc1c86a42fcaa170ec2ffe8a0bb 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html d6ad1d9592765b0c26f291baa3cc13694b99f081d1c5779c1447c894363fae35 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 28af031587c90b976b0eb376cc84cce039cbcd4df0ee4e9bce8aec62e341a5ea 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html d1244cdf862f01df135270272f437a5ddc7d8f8b16ff3216c8410559040045a0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 7669c189bbdfeff5f0ee9a5fe4298e73cc5869549e2f4fceec347a7dc1564c3f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 6dde4003d88eb640da382152c2223000273fa7fcd7394bc08635d24fc6d021c6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 9d8f3986677431fb69fd4b4c502f60ef41243e296ba163be7cd1934049974b05 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html fcbba31bd618afa215f76b41c5ac2450e6d52afeb5b60e62653d95ddf3a2500f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html f653c6a8d84deb36e29e99dc2d5daaa9e525123bbaa70dc21ba7babe66f750da 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html 6d619d0234717381cff28bfa6b906cadcdd12d7f31dde6d9344db3a735caf394 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html d8d623b5fc809ef3964cfaa45d9c24a57ff063b732efa5c4ea97195e1d6bf8e5 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html e7008e3cb994d5cd047bad66c9d38b5995be1f59ba960aada462353087724a96 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 716a10a365d7d237922f402858c3390416aac3085c84271b67f3a780a594aee6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 94ccd568ecbc4b889696637de6826a82e2846bf5f0979a0aaf4ef777654143cc 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 985a8b5384c59d6d4d37d1da31f92127e44638667dbea3ded8253f27eb792cd9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 29abdbb0f58e63c85604e09ed8979843a203990145ca9054eb7f1b92cbfdd9f7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html c049430ef4491b78c2ec9fbd13c04a052f45ec0d75cc2af30e13d7412b8741d9 2
@@ -881,5 +881,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 9d28f59ee0390d9ca2d36043842a6027f0fc41e44c3a99cad9cbca51be7f5e8f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 0d356b5702ce21505affaeeaa544a653ae00946636619e7a7d45b09dd06de553 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 1bec95529cedfe3eb1b10f1ea892fb23869aaab6d34b4cf77f991acb7b7ca64b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 886006d85d1bb89905f2e03162d55d179c49264741edf282e716fae49b622b18 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 9c240b958e3bafd9821104e532b9ca4a9d30db7e1e60b640977e4b31dfc31094 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 85a68750da291c2dae2a5ff1fbf8963eed1d357c74722282e14a49ea065008c3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html 7be1d2331b580fa26d0a56c0fefeea370dec865c15360cb334a41af99b7716ae 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html d160d746c5ab2ecc9ef840da79a39cb45b9e55304f5e92bab6b6513116203f2a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html b6c1ef28f7d1f27aeb2a8aee756a06e644dbdb72ba68519918356920372f7ec9 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 5e6cb99e89bd7b00e3156bedd02b1fdcfbb647d17d62ff8925cdfb12dc417890 2
@@ -887,3 +887,3 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 1e60ccbcbde64ab059fe711ad5070f19583574aedfa018a9e3cfd35ff20e5824 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 2fb9627ebafb3f96bb3d78441cb6b5627b3690cbd9f89cbd9270094bf0216d35 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 5926fed5a9ce446bbfb193f3a145c033907d9e63aed5641822f75c3ea6b4fde3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html b0899f9c4659174b49627acf23c66fabd50658c9593fc41d1e0ce4f019fb21ec 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html b69a6a9e1dffff92eb634f5451a412398179d0599756468f21c344471fd8ce79 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html c2a936fd57c2bf7d4a4506ceeda17b536fb31e805a0e7514ec036a2c39e491a4 2
@@ -891,2 +891,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 4a05368b90eeafc34508f440fa3029cdf437a40dc0bc16aee36f17f85a7ca145 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 9d0a87b9b3d34a1ca10526dcae39ca29592ddffae2cf5b895bb19d42c266111e 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html e7927fe65c237b192e1911f5f51343e1f7378020dc399a0dae8dd6379850e1c2 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html 5fc2644176aba94c0a36ec53fe4c39b85bcbec9447963b53743153bf124ce816 2
@@ -894,2 +894,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2cdaa1d1a64df275b3639e2d434da3fafdd27f796e1d99b12d6503f8e28202a1 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 48f33d939678312024485545f0f685ec4f35c48ec5eb89353e6587eeb5ee8afa 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 7db62466c9d45ff52bbf45def47ab1e136088497ce8d399b0ba39689d9cc6563 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html c4ac07a8b45bb20e2e22b9fee64845d916e23c9217c4bf54f97df44c9cf656f8 2
@@ -899,3 +899,3 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 693dcbac87ae89179ef07db644d97c3969877c6faa0a494dc5ae10c1ca1fab28 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html efe815faf9c7030b5990de42e88eadab745f7a2d1dc957eb883f20970d8f9582 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html a77d9da3bab58dcff4e672bab43dd32ceb5ce8413828cd514167a235a4f57775 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html fbbb7fa45187ce506f576a22463a9254a8866858929e8fa6cb6c2cc2cdfdab2f 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 77d76e95692f190fb8ae67736a89bb0818cf69a324d9cd2b181cc858c0edb393 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html c6e903d5118eeefc8ab65714c330601393aa748ff953b032cb7ea3b92f1eedb9 2
@@ -905,2 +905,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 99b0298ee5524968aa1a41dfc04a0c6cb914748ddbb0e2846495ec4b1574f446 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 022cb0f4d228ece11f48cad9da7911933081576b1c2b5342643cba7a1aa424b4 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html a4b4e93fd7c11604477c3ef4c15eec98e102398c63b3336834919ee9ae28b03d 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html f17076f68f66cbc930e60c751883f42241b0027882e540f5056050b069aca5c7 2
@@ -910,2 +910,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 25c179fea91e72811e89e58b0f6c9ac027baf83a1af32a156f5bfed9e6a289f6 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html f9b5dbc4b3990a3a6c57d02657d9560087f9fb2751097ab9280d473c988cec8b 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 10d44cb653b4f222d7df9b2afbec9e67e84bf9f6a052b8d4fe176f94cae31208 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 8f192c4d8218abc546c88b03735820c7d34b8e671f9555aa544d6703e2ab0b4f 2
@@ -916 +916 @@
-/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2560604a82e56d86b36bb642d6be4ac9c639cf536aa6de54a9da27e8bd435814 2
+/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 16e0dc7eb7b1a9dcccde979d78d7b31f8369691d9fb59c6949df0fc618a3ec00 2
@@ -921 +921 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 3e408817406806f38059f9071fc9506b88182f1f5e4ac477943faed71a10aae8 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2af964f4361139ec4bdd97bbcf2d39498bd751be8acb21868e1fc38d65b653d2 2
@@ -923,2 +923,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html fda26b8ee4cd965d0e02ee29c90e9a184204234dc4c06c60ae2cda0370fe9f69 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 5ae80a7bdae7611710bea498a68a8a39fa85a6e67ad3fcbc098a2a562aa1af9e 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 0f5ee1a5cc3fc75bc338e3fd346454798c462bdead91bec5887cc81d35c84c10 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html f1b424b1e98f63e9e46df170d355b53492060bde17a6071aa3247584821e756b 2
@@ -929,3 +929,3 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 8e5d98027810e71cbb6aa2fe4cd14ae6192f43e86116e84ce58ef48cd6cc896f 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html f005c0290f41b9b8bc02aacf55cd1d5f4fdf7265a900f1139c40275ac107fad0 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html b06a641b109bf69f54dbc4a015aca270937b93bfca8086087ddc0d8de4137260 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 3ba79a8f32b660ae87c20f204975a7eb7e53e7e69c6e6bcb0ec9ea19ade8770c 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 9f8bb83a8af67104571601cab759771ef4ea97335d02c5516b079c07aa24786a 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 9f67b9fc8604a5ebfb138d1ab1a72468d2b98037a21f3fb24170adc9fbf8b321 2
@@ -941 +941 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html ec2cdddf0497c8402752032859de29fc24701e590ccd1421d25c4b9d61ee33ce 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html d18d352583eb14819fc5d403636678f7cb81c96603fd63a31ad1214edcef3ea3 2
@@ -943,2 +943,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 09edc901822b679f3b4ee6308a362b121597dedf9622b614547f619326915743 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 3196a8600abac92fc2c24c525da68960df32c0f2c194dbd6dfeb0333d8a2418d 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html d5ca4c8bcb3c1448ff2fc65bfc80afc76cc0193eec4c49b53c36f0208601f7c0 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html a17767a743958c1c360dc79cbadd7a38641f200d96a9425d94c8877b4bdc8d92 2
@@ -948,2 +948,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 9ce43e46a01cd155c2b293c46c7c16f5b536a37febbfd91d0540fc5c16b87548 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 271bd969c34e708e597152dc678c5c29370f433b0bc7c19006362cec2e7a0c2a 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 9f9fe17abe47207c827a2dd0b070f5cabfa5fbd2f657940c65f4bfcb2d2711f8 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html d52c3995dce1e78c7787a05637cd783231293f3823d29c22bdd5b4c1088383d9 2
@@ -1291,2 +1291,2 @@
-/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 68355b68c7c66ac24f29e63a841cdce9a9357c5b324435a12c5c1cc159131b20 0
-/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 97bdaab190bf8126c0efbe29e7953001d5340f7fe33a619981063c735b9d6a1a 0
+/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 81d91b67064e2fe2e4437783d3859a2695070c55a2a8db787b510615a0817e2d 0
+/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 88978c17e32cd9d6136f81be3b0d4a9bc753a6f64247af223a88c68ded1dfd15 0
@@ -1296,9 +1296,9 @@
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 32f44248e2a535c245cda3791fff413295fadcf50051c4842272facd2d1590f8 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml f63f5a1624afaa008044aaaa9687b598bb00e042dd74b03daef1f8ac3fef7264 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 97b8c3973a14434c745e47a028ccd80cfaed3b7bb9236e93d3159b54994cfb20 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 1c3e0822df330d5e45a1ff87605715d69a90575893420ca1b129a788c69a9218 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 3322923f05f8d22c1f78eabd2bee6124f31be7bc811984bc66cd5e1c1b8a505f 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml c4f32b8d1181908b64ee43347c3400eeab8989c3a68d18771f2928d48108267a 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 492fe34d22246ae8efc10c1ca810f853bf083dc16d464e8d79f8496463f3b894 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml af20d41034bb249de03601d17dae87842be1af1cd12d34e3109ba8c43f64b2da 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml de539a81b62146548d145d66f3958444501a3e00c363e11b7e79634bf1389bdf 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml a1627e8d172fb744f5b513c5988ef69a3457fbdad54429fb57656c055d630d9f 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml e69d0d81b342d8dd6dcf62f593807b2334c27ef708c605a70198901f927c64e2 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 75755d9abb6b5c50fd2d6fc834cb3f2cf3e717bc5fcdb69dc60115caa097a758 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml d9d3028617f326809ac86cb9100fbf96a2f35c96b4ae44e811fbe537b4312947 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 87f24b4d7484a9728e0fe3b3f065140ca1b6422aa436cc73b204c361a6c03b34 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml b0375e13b2a02f14b1e501772d2af2bece53a49efc4f12928fb27b402d1936b8 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 3d5668a9530e1cc50e479eea2fca5155c3ed13b604aa283d8cff5c5b493f77af 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 1bb75e8384d7d3d5728cee6bc9dd46de5a572eec84456c21b3eedbea151a9510 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 06620183efc239548ee39f8fc43c8311f0665ccb6f6840ca0f04a99242e9c775 0
@@ -1307,3 +1307,3 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 14819b486d94a8df0212c334aeda5c546b7386e4572e14b7c28ea512446bd775 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 81845638791742836707691824d247341b939704398323ea46b2cb60018a7f62 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 924b2a663ea8157aa5d7e618f792bb907590194cb3d3d1401df7d5b63721d9c2 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 5570714fb0b280ce13361b885ef71fccd4fecbe8802a7cafa877c2862f154deb 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 5382682d9afd45dd5b26be1a01d66d43a4782bd640f361efc5501c8fe0924428 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 963d0e2a3b2493e806ba10f2db89f2a57f3cf46c4c5f7468582d826d24c8ac11 0
@@ -1311 +1311 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 629527ae549e884d7e94c9047bc77eacc9783556031bb40cf27c7b528143a8f1 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 160bf4038211855c816f50c0db8231110252db22d8432ae5749faa2484789181 0
@@ -1314,3 +1314,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 625cda0973a4001328e4a76e69dea9207a70b6ff8013ea41acc309df44dafe86 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 1c0570e6b14d82aed6c9f08997319200fd4688c273520e87b0d2ecbe79d080ef 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 505da25582937315baf6b297d0b914d58b28f515803825c5a5b81d214cd8d01d 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 32a29bb3b8e8835e602f678450b1cfdaa9754bd4e13500fd0d175ea1bb511fc9 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml f08b4a1ce4982457e0efe6b8cb91a63772ffd3f9270a52f9645a64ffa00a8ba0 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 8d9eadbba679dc714bb1d8276b77cded0a407e583f7ca821308a3c3be58910b0 0
@@ -1318 +1318 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml c0045d90633d12cb24d158b58b0bf6eecd96354979b7c7eea19885ee72500899 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 3e08ecffad755e0f68cadfbd93c7adeb5470510bfcd1b102a2e2aabd4f417165 0
@@ -1321,3 +1321,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml cc9c53c1bcac3af97d215f18e0b5da27347f9d3b000cdec7676ee5f9e52ab590 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2f50d11ad4851db7ab634724ee3946733b6b528998507c890ab5b7cbfa59862f 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 4be7941c61ed4a1628011d02cc9d58bccd5b59baa65079f4b6f3768c2091843e 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 1d9521f7ee6386dc5c1ee914c3f4795d175feaf93d14c1ce242e261b0c28e4ba 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 102cbebd326f109d55335ba6c5c25ce25c536a26168f0a9b0ddad55bfde04799 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml fd005dae9f443c8bc6128c2d8249e17190e77af980242680551fc650888b7465 0
@@ -1325 +1325 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 86922b7feced7f16dbd14df98f43c61e3044847d972899eddb2498a986dcf101 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2d76f5ca0dbd4fa27ed0f2b4e98d257f426714f18162a68aa4f594a182c90a5a 0
@@ -1328,3 +1328,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 81206311504e8d0053f2aabf740a77858d2ef33fd42f0455df78c07a97613db8 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 3fbdaeb9fc2dcaf003b6c090b4ba59ff7f1e6897ecee730cf0215c5fa25a10b7 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml b8041b9f42ed99530ad2087fea968630a0275874dede1e5743e361e6fa216bbe 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml c86f57c6613cdc1b6ec88f87ee6a90cfba309f5e3ab56a05e6ecf97816698ed6 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 70c9dde763a6e68ec1289039ef858ccd07dfdd27c9301b09604979baa07ce2d1 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml e9004af533dd0ab8247be6a789f0aad7bef99913e03694d1e3fcbfc05b2e6b90 0
@@ -1332 +1332 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 3ff90c0d391dec220d85eb64611698827f5b2a50b9923cf46c925a3d53674aac 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 0db70d730e0d85dbafb609e0ff403c76dca360b80ff066d5abb56e8cd6d06f27 0
@@ -1335,3 +1335,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2e0a2901c616ef8e7eaa139e62019ddd5574ea705efbcfcddb06edf98c9ac9fb 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 97db7794a099d1c265b2fe1f1c1e3a5a0700d9493d27dddf9dc882326ed43e1a 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml c0c32f4c08db6f8de9f22fe20bc75d8a0fa5f88ce6a24e1a720e34085e9be141 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2a9c7fe66aa7c942b1825daba41c9b76942fd41e983fc95f0b07c6cc86cbd0b2 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 22f4e199ad0842c1fe7ae375da80d55833dc772f98e8d670d1b872ce2e4efd71 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml be2dad50febe6bbba242421a229a7c419f62548441762fdac09d1e29a0c116ed 0
@@ -1339 +1339 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 41c407fb9c1fc846a70999788838b63dc25c1c7eaee8f43082b44278b8807666 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml cf3c8cbe0915e71e07b293ec47789248123ac74e74ebe20adffa58ac43dba9a7 0
@@ -1342,3 +1342,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml ba4b27d662045aaecf8089de340f1f039485a67bca80404dd2abc3a63f260bac 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 71ccd8bcdc1d1390f499e8075da76d2fca36b294af349420f9179019880f58d2 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 0e11bd4357e514678d05c7d6e94e39b179c3704f5e911a6f6ba9d3d307ca57e9 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml b86aad464048e1e152b555319d082e85f5bee56402f92bfdafc65e4a286b4ecb 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 356c601e594893d346ffcae6c59f128e8de44cf9d904a31d749fa36dc739421c 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml f86bd180f4bd7244e81413055a690dcf23b1a7b33ca5bf3f5d42fb902bb3edea 0
@@ -1346 +1346 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 640fec510c403eb247692359f6f016ff21ca71c7fc87744c1e083c836ac7fd64 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 93a4b9e33fd7f3d3d202aebc52d4626a1b588035e1f02fbd27655414bb169ac3 0
@@ -1349,3 +1349,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 05ac9cdbea074ba54faa7a8c4038d0972be4b48bfe5c05cae097677ce1c47193 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 9c16c6f149cdace42487544f2ec77f4e18c9c05df2342d883361f789206fbef9 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 87d01952435cf781bde0af618d2dfbb3d0b73e47fdf9da9bfb8cd0d8a6e5f279 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 0bce233a61a5064e640d2efae349716171ccd79393105f82608e11fb0daf721e 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml f18d2846d827ddd746b6fb0261395e4d55223ba9155b59efb84744e76af5726e 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml f92dc84a0ac5ccdaa271b6d6f972d8399f0b831482a25a495da1481167183fdf 0
@@ -1353 +1353 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 1ba4c719822bbc1c06b62df58db26742d2b9d8e744a2b9b90ccc66e0e4c2ff28 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 3d2ce172d121cd5aae8bc06ee09f9b0e0d08b0f12377e63c42c409aceabcfe6b 0
@@ -1356,3 +1356,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml c8a81f9fbe6a0f32e2988bb948d5a2233a4b69bf767688ed64c1f6ee37178d0a 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 8b8a51e71eb869014cceb749af3c7eb3c3e312d4cf064508a9aa8e4d25e70be4 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml a147d125884225a365f02516818cf88c7382f93b2309c92627acf88d84f68bd4 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 7790a303c11fca0a7f4f744448e7c833bac3ceb0bf690a160a84dc88b9434c6d 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml c15d68008871d1ce6dcf9e35242f4fa0031da2a4b8a16188eeb37d11bd495252 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml d7a8e825f19e925c4eb5f4d99e5d497ef45ff7c38ee67d88dcc98a456716bca1 0
@@ -1360 +1360 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2ec25a8547192f4d1cc0133fdd9ec9e07d4acc30ecaef1f3e04c0270f383c234 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 23c1a3000c4aefc2db89488a18f9478137b65e8250c7e39e579627467c6c72a0 0
@@ -1363,3 +1363,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 89b9a5b887e2372c32192c8f468eba34e0067b0bd2a42d6b1cd3b1fdb2c18dba 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 518e064f1a913ff92b4f51e0e04da95f125b79f1602f72d363ec13d529320002 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 43fe89ac55bcffd8109348f956274afbee60daa90ee70f14bf09f191ad67e10e 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml fbab0c9bc9c98dd4a1b8a2a2152687545b4f839c3106f4629a68d29e4119f235 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml dfd9d639836d3a840cd87ed4b98de456da116a95e41d7d8b6145ffc3c3c49f72 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml f14065a68fc1383c5c979d8120e80a66c60c2ead1b5e559f995608691af83cae 0
@@ -1367,4 +1367,4 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 623c5bf608db2b1c276848a942cbc2dde0689bcf34411c7f8cbd553f81eaf71a 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2f33014a1995cad57039bce14e6cda7c21adb7acd3bf7f43814a76520810b19d 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml e05732770278570b6f9435043c788f1a4f5a969f65f1bae60fd250baf2f0ae89 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2dbe410778dd16a71a5362187e11d7404149538df48b9d2f4a6f76b4fc73a71d 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml d8d2ac4ecaf3bf72251758b0d3b567624acb6e63bb9160e4eab12cef72b60056 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 74e00fb659fde05395829674158d0338e630276cfd3a7777e091a2bf3e0fd90b 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 5eb2104047d564e902ca9e17aa8f71254f4f03d98fcc3ba00321b4a97a983084 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml fc7f2f683ebb4d9cc083d1b170ecf69117e6b617b1735ee63e06adb379a85839 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 2022-10-01 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,7 +141,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -308,7 +308,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -491,7 +491,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | Group
@@ -143,7 +143,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -310,7 +310,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -510,7 +510,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r603261_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -618,7 +618,34 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 171 rules | | Group
@@ -124,18 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -449,18 +449,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -494,20 +494,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 184 rules | | Group
@@ -124,18 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -287,7 +287,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -419,7 +419,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SV-230263r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 57 groups and 160 rules | | Group
@@ -124,18 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -449,18 +449,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -494,20 +494,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 27 groups and 43 rules | Group
@@ -111,7 +111,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-230272r627750_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -174,7 +174,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-230271r833301_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -242,18 +242,24 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,24 +279,7 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 99 groups and 293 rules | | Group
@@ -123,18 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,7 +441,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 88 groups and 226 rules | | Group
@@ -123,18 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,7 +441,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 84 groups and 223 rules | | Group
@@ -123,18 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,7 +441,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 95 groups and 290 rules | | Group
@@ -123,18 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -441,7 +441,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 105 rules | Group
@@ -145,7 +145,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -307,7 +307,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -487,7 +487,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | | Group
@@ -134,18 +134,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -209,7 +209,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -297,7 +297,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -434,18 +434,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | Group
@@ -147,7 +147,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -304,7 +304,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -429,7 +429,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -578,7 +578,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | Group
@@ -150,7 +150,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -461,7 +461,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html 2022-10-01 00:00:00.000000000 +0000
@@ -84,7 +84,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | Group
@@ -151,7 +151,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -308,7 +308,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -433,7 +433,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | | Group
@@ -125,18 +125,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -200,7 +200,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -288,7 +288,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -425,18 +425,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 125 rules | Group
@@ -141,7 +141,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,7 +303,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -483,7 +483,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 71 rules | | Group
@@ -121,18 +121,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -201,7 +201,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -293,7 +293,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r809334_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -432,7 +432,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-230264r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 29 groups and 57 rules | Group
@@ -143,7 +143,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -305,7 +305,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -479,7 +479,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r792855_rule | | |
| | Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,81 +189,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r833333_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 386 rules | | Group
@@ -135,18 +135,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r809354_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -195,81 +195,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r833333_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 162 rules | | Group
@@ -124,18 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -409,18 +409,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -453,20 +453,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | | Identifiers and References | References:
- BP28(R58) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 175 rules | | Group
@@ -124,18 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -677,18 +677,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 57 groups and 151 rules | | Group
@@ -124,18 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -409,18 +409,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -453,20 +453,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | | Identifiers and References | References:
- BP28(R58) | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 27 groups and 43 rules | Group
@@ -111,7 +111,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -236,18 +236,24 @@
$ sudo dnf install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -355,7 +355,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | dnf should be configured to verify the signature(s) of local packages
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html 2022-10-01 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 99 groups and 285 rules | | Group
@@ -120,18 +120,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,7 +179,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,7 +437,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 88 groups and 218 rules | | Group
@@ -120,18 +120,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,7 +179,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,7 +437,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 84 groups and 215 rules | | Group
@@ -120,18 +120,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,7 +179,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,7 +437,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 95 groups and 282 rules | | Group
@@ -120,18 +120,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -179,7 +179,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -437,7 +437,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -147,7 +147,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -280,18 +280,24 @@
$ sudo dnf install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -334,7 +334,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -425,7 +425,34 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 48 groups and 98 rules | | Group
@@ -174,7 +174,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -299,7 +299,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -448,7 +448,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | | Group
@@ -182,7 +182,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -331,7 +331,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -421,7 +421,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -531,7 +531,52 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 71 groups and 148 rules | | Group
@@ -178,7 +178,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,7 +303,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -557,7 +557,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -137,7 +137,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -270,18 +270,24 @@
$ sudo dnf install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -324,7 +324,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -415,7 +415,34 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | | Group
@@ -173,7 +173,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -352,7 +352,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -455,7 +455,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 115 groups and 494 rules | | Group
@@ -130,18 +130,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,77 +189,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 113 groups and 490 rules | | Group
@@ -136,18 +136,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -195,77 +195,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:35
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Mail Server Software
- Network Time Protocol
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 62 groups and 206 rules | Group
@@ -139,7 +139,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -306,7 +306,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -483,7 +483,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:35
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 47 groups and 121 rules | Group
@@ -132,7 +132,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -294,7 +294,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -473,7 +473,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:38
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:35
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 39 groups and 76 rules | Group
@@ -133,7 +133,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -295,7 +295,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -431,7 +431,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -578,7 +578,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 61 groups and 161 rules | | Group
@@ -115,18 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,18 +400,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -444,7 +444,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -278,7 +278,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r603260_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -415,7 +415,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020040, SV-221709r603260_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 57 groups and 151 rules | | Group
@@ -115,18 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,18 +400,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -444,7 +444,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | |
| | Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r833019_rule | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r833019_rule | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -246,7 +246,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020060, SV-221711r603260_rule | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2022-10-01 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 47 groups and 102 rules | Group
@@ -136,7 +136,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,7 +303,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -486,7 +486,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | | Group
@@ -141,7 +141,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -212,7 +212,74 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r603260_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 2022-10-01 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 46 groups and 93 rules | Group
@@ -138,7 +138,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -300,7 +300,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -428,7 +428,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -558,7 +558,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r603260_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2022-10-01 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 54 groups and 142 rules | Group
@@ -141,7 +141,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -308,7 +308,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -508,7 +508,52 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
+ Require Encryption for Remote Access in GNOME3
+ [ref] | By default, GNOME requires encryption when using Vino for remote access.
+To prevent remote access encryption from being disabled, add or set
+ require-encryption to true in
+ /etc/dconf/db/local.d/00-security-settings. For example:
+ [org/gnome/Vino]
+require-encryption=true
+
+Once the settings have been added, add a lock to
+ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+ /org/gnome/Vino/require-encryption
+After the settings have been set, run dconf update. | | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
+remotely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | | Identifiers and References | References:
+ 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 104 groups and 382 rules | Group
@@ -158,7 +158,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -325,7 +325,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -508,7 +508,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | | Group
@@ -132,7 +132,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -203,7 +203,74 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r603260_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 2022-10-01 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 48 groups and 99 rules | Group
@@ -132,7 +132,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -299,7 +299,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -482,7 +482,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 10 groups and 9 rules | | Group
@@ -94,18 +94,24 @@
$ sudo yum install glibc | | Rationale: | The glibc package contains standard C and math libraries used by
multiple programs on Linux. The glibc shipped with first release
of each major Linux version is often not sufficient for SAP.
-An update is required after the first OS installation. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | | Identifiers and References | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | | Identifiers and References | | |
| Rule
Package uuidd Installed
[ref] | The package uuidd is not installed on normal Linux distribution
@@ -134,18 +134,24 @@
$ sudo yum install uuidd | | Rationale: | The uuidd package contains a userspace daemon (uuidd) which is
used to generate unique identifiers even at very high rates on
-SMP systems. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | | Identifiers and References | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | | Identifiers and References | | |
| Rule
Only sidadm and orasid/oracle User Accounts Exist on Operating System
[ref] | SAP tends to use the server or virtual machine exclusively. There should be only
@@ -318,7 +318,12 @@
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow | | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| | Group
Services
Group contains 3 groups and 5 rules | [ref]
@@ -409,17 +409,8 @@
ensure => 'purged',
}
}
- Remediation Ansible snippet ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Ensure ypbind is removed
- package:
- name: ypbind
- state: absent
- tags:
- - disable_strategy
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - package_ypbind_removed
- - unknown_severity
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
+package --remove=ypbind
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# CAUTION: This remediation script will remove ypbind
# from the system, and may remove any packages
@@ -432,8 +423,17 @@
yum remove -y "ypbind"
fi
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
-package --remove=ypbind
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Ensure ypbind is removed
+ package:
+ name: ypbind
+ state: absent
+ tags:
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - package_ypbind_removed
+ - unknown_severity
|
| Rule
Uninstall ypserv Package
[ref] | The ypserv package can be removed with the following command:
@@ -451,7 +451,21 @@
ensure => 'purged',
}
}
- Remediation Ansible snippet ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Ensure ypserv is removed
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
+package --remove=ypserv
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
+# CAUTION: This remediation script will remove ypserv
+# from the system, and may remove any packages
+# that depend on ypserv. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+if rpm -q --quiet "ypserv" ; then
+
+ yum remove -y "ypserv"
+
+fi
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Ensure ypserv is removed
package:
name: ypserv
state: absent
@@ -467,20 +481,6 @@
- low_disruption
- no_reboot_needed
- package_ypserv_removed
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
-# CAUTION: This remediation script will remove ypserv
-# from the system, and may remove any packages
-# that depend on ypserv. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-if rpm -q --quiet "ypserv" ; then
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 2022-10-01 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 28 groups and 72 rules | Group
@@ -134,7 +134,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -301,7 +301,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -493,7 +493,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r603260_rule | | |
| Rule
Ensure Oracle Linux GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software
@@ -652,7 +652,10 @@
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | | Identifiers and References | References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, OL07-00-020260, SV-221720r603260_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 102 groups and 270 rules | Group
@@ -133,7 +133,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -295,7 +295,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -423,7 +423,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 100 groups and 269 rules | Group
@@ -139,7 +139,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r603260_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -301,7 +301,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -429,7 +429,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r833031_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 61 groups and 169 rules | | Group
@@ -115,18 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,18 +400,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -444,7 +444,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | |
| | Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -278,7 +278,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -410,7 +410,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL08-00-010360, SV-248573r779285_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 57 groups and 159 rules | | Group
@@ -115,18 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -400,18 +400,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -444,7 +444,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | |
| | Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r833208_rule | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r833208_rule | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -231,18 +231,24 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -268,24 +268,7 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 49 groups and 105 rules | Group
@@ -136,7 +136,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -298,7 +298,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -478,7 +478,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 205 rules | | Group
@@ -125,18 +125,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -200,7 +200,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -288,7 +288,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -425,18 +425,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 48 groups and 95 rules | Group
@@ -138,7 +138,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -295,7 +295,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -420,7 +420,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -569,7 +569,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 54 groups and 140 rules | Group
@@ -141,7 +141,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,7 +303,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -452,7 +452,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -524,7 +524,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, OL08-00-010287, SV-248560r818614_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -635,7 +635,52 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 205 rules | | Group
@@ -116,18 +116,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -191,7 +191,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -279,7 +279,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r818787_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -416,18 +416,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 50 groups and 125 rules | Group
@@ -132,7 +132,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -294,7 +294,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -474,7 +474,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 29 groups and 78 rules | Group
@@ -134,7 +134,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -296,7 +296,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -470,7 +470,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -542,7 +542,10 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, OL08-00-010020, SV-248524r818787_rule | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -574,7 +574,18 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, OL08-00-010020, SV-248524r818787_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 106 groups and 402 rules | | Group
@@ -110,18 +110,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -170,81 +170,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r833241_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 104 groups and 400 rules | | Group
@@ -116,18 +116,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r818758_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -176,81 +176,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r833241_rule | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 159 rules | | Group
@@ -115,18 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -372,18 +372,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -416,20 +416,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | | Identifiers and References | References:
- BP28(R58) | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 171 rules | | Group
@@ -115,18 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -277,7 +277,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -640,18 +640,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 56 groups and 148 rules | | Group
@@ -115,18 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -372,18 +372,30 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -416,20 +416,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | |
| Rule
- Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
- [ref] | The sudo requiretty tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the requiretty tag exists in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_requiretty | | Identifiers and References | References:
- BP28(R58) | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 26 groups and 41 rules | Group
@@ -102,7 +102,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -227,18 +227,24 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -346,7 +346,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 2022-10-01 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 45 groups and 96 rules | Group
@@ -138,7 +138,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -295,7 +295,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -420,7 +420,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -569,7 +569,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 52 groups and 135 rules | Group
@@ -141,7 +141,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,7 +303,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -452,7 +452,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -522,7 +522,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -632,7 +632,52 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 61 groups and 185 rules | | Group
@@ -115,18 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -189,7 +189,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -322,18 +322,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -401,7 +401,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 29 groups and 78 rules | Group
@@ -134,7 +134,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -296,7 +296,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -470,7 +470,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -540,7 +540,10 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -571,7 +571,18 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 105 groups and 358 rules | | Group
@@ -111,18 +111,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -170,7 +170,68 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 103 groups and 357 rules | | Group
@@ -117,18 +117,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -176,7 +176,68 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 43 groups and 90 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2022-10-01 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 43 groups and 94 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2022-10-01 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 40 groups and 82 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2022-10-01 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- Services
- Mail Server Software
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 10 groups and 7 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2022-10-01 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- File Permissions and Masks
- SELinux
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 23 groups and 51 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2022-10-01 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 242 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2022-10-01 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2022-10-01 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2022-10-01 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Base Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 234 rules | Group
@@ -120,18 +120,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -183,7 +183,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -317,7 +317,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-27078-5 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.5.4 | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -554,7 +554,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 61 groups and 165 rules | Group
@@ -116,18 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -458,18 +458,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82213-0 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.2.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -505,21 +505,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83819-3 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 61 groups and 179 rules | Group
@@ -116,18 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -429,7 +429,35 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-80374-2 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020040, SV-204446r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 57 groups and 155 rules | Group
@@ -116,18 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -458,18 +458,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82213-0 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.2.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -505,21 +505,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83819-3 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 27 groups and 38 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r603261_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -167,7 +167,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-80351-0 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010340, SV-204429r833190_rule | | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -253,7 +253,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | Identifiers:
+ CCE-80347-8 References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020060, SV-204448r603261_rule | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2022-10-01 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 106 groups and 290 rules | Group
@@ -115,18 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -569,7 +569,52 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 95 groups and 227 rules | Group
@@ -115,18 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -489,7 +489,52 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 89 groups and 222 rules | Group
@@ -115,18 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -489,7 +489,52 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 104 groups and 288 rules | Group
@@ -115,18 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r603261_rule | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -569,7 +569,52 @@
with physical access to the system to quickly enumerate known user accounts
without logging in. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list | | Identifiers and References | Identifiers:
CCE-80106-8 References:
- CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.8.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 102 rules | | Group
@@ -137,7 +137,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -310,7 +310,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -437,18 +437,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -499,7 +499,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -142,7 +142,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | Identifiers:
CCE-80358-5 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -215,7 +215,74 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 2022-10-01 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 46 groups and 94 rules | | Group
@@ -139,7 +139,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -307,7 +307,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -439,7 +439,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -573,7 +573,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 54 groups and 142 rules | | Group
@@ -142,7 +142,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -315,7 +315,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -520,7 +520,52 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-80120-9 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
+ Require Encryption for Remote Access in GNOME3
+ [ref] | By default, GNOME requires encryption when using Vino for remote access.
+To prevent remote access encryption from being disabled, add or set
+ require-encryption to true in
+ /etc/dconf/db/local.d/00-security-settings. For example:
+ [org/gnome/Vino]
+require-encryption=true
+
+Once the settings have been added, add a lock to
+ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+ /org/gnome/Vino/require-encryption
+After the settings have been set, run dconf update. | | Rationale: | Open X displays allow an attacker to capture keystrokes and to execute commands
+remotely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption | | Identifiers and References | Identifiers:
+ CCE-80121-7 References:
+ 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-17(a), AC-17(2), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 105 groups and 385 rules | | Group
@@ -160,7 +160,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -333,7 +333,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -460,18 +460,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -522,7 +522,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -133,7 +133,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | Identifiers:
CCE-80358-5 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -206,7 +206,74 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule | | |
| Group
Updating Software
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 2022-10-01 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | | Group
@@ -133,7 +133,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -306,7 +306,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -433,18 +433,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,7 +495,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 377 rules | | Group
@@ -135,7 +135,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -303,7 +303,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -435,7 +435,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -562,18 +562,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 48 groups and 142 rules | | Group
@@ -158,7 +158,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -326,7 +326,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -458,7 +458,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -622,7 +622,74 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r603261_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 38 groups and 68 rules | Group
@@ -113,18 +113,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -275,7 +275,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | | |
| Rule
Ensure gpgcheck Enabled for All yum Package Repositories
[ref] | To ensure signature checking is not disabled for
@@ -374,7 +374,9 @@
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled | | Identifiers and References | Identifiers:
CCE-26876-3 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -456,7 +456,34 @@
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | Identifiers:
CCE-26957-1 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | | Group
@@ -135,7 +135,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -308,7 +308,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -514,7 +514,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r603261_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -625,7 +625,34 @@
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | Identifiers:
CCE-26957-1 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 102 groups and 266 rules | | Group
@@ -144,7 +144,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -312,7 +312,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -444,7 +444,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | [ref]
@@ -571,18 +571,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 265 rules | | Group
@@ -150,7 +150,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -318,7 +318,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -450,7 +450,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 6 rules | [ref]
@@ -577,18 +577,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r833192_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 171 rules | Group
@@ -116,18 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -458,18 +458,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82214-8 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -505,21 +505,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83820-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 61 groups and 184 rules | Group
@@ -116,18 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -424,7 +424,35 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-82891-3 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 57 groups and 160 rules | Group
@@ -116,18 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -458,18 +458,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82214-8 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -505,21 +505,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83820-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 27 groups and 43 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-82202-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010381, SV-230272r627750_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -169,7 +169,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-82197-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010380, SV-230271r833301_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -240,18 +240,24 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-82985-3 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-82494-6 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
- CCE-82267-6 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 99 groups and 293 rules | Group
@@ -115,18 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,7 +446,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 88 groups and 226 rules | Group
@@ -115,18 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,7 +446,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 84 groups and 223 rules | Group
@@ -115,18 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,7 +446,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 95 groups and 290 rules | Group
@@ -115,18 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -446,7 +446,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 105 rules | | Group
@@ -137,7 +137,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -305,7 +305,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -429,18 +429,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -491,7 +491,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -126,18 +126,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -203,7 +203,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -295,7 +295,33 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -437,18 +437,24 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-82723-8 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | | Group
@@ -139,7 +139,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -302,7 +302,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -431,7 +431,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -584,7 +584,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | | Group
@@ -142,7 +142,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -310,7 +310,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -463,7 +463,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 2022-10-01 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | | Group
@@ -143,7 +143,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -306,7 +306,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -435,7 +435,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -559,18 +559,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 210 rules | Group
@@ -117,18 +117,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -194,7 +194,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -286,7 +286,33 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -428,18 +428,24 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-82723-8 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 125 rules | | Group
@@ -133,7 +133,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -301,7 +301,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -425,18 +425,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -487,7 +487,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 71 rules | Group
@@ -113,18 +113,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -195,7 +195,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -290,7 +290,11 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r809334_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -435,7 +435,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-80790-9 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-08-010370, 1.2.3, SV-230264r627750_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 29 groups and 57 rules | | Group
@@ -135,7 +135,15 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -303,7 +303,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -482,7 +482,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule | | |
| | Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,7 +183,82 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r833333_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 386 rules | Group
@@ -127,18 +127,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,7 +189,82 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r833333_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 162 rules | Group
@@ -116,18 +116,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -415,18 +415,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -461,21 +461,7 @@
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | Identifiers:
CCE-83537-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 61 groups and 175 rules | Group
@@ -116,18 +116,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -692,18 +692,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 57 groups and 151 rules | Group
@@ -116,18 +116,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -415,18 +415,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -461,21 +461,7 @@
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | Identifiers:
CCE-83537-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 27 groups and 43 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-83544-7 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-83536-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -234,18 +234,24 @@
$ sudo dnf install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-83454-9 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -357,7 +357,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-83457-2 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | dnf should be configured to verify the signature(s) of local packages
+prior to installation. To configure dnf to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2022-10-01 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 99 groups and 285 rules | Group
@@ -112,18 +112,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,7 +442,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 88 groups and 218 rules | Group
@@ -112,18 +112,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,7 +442,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 84 groups and 215 rules | Group
@@ -112,18 +112,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,7 +442,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 95 groups and 282 rules | Group
@@ -112,18 +112,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -173,7 +173,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -442,7 +442,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -139,7 +139,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -277,18 +277,24 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-83442-4 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -333,7 +333,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -427,7 +427,34 @@
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-83452-3 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 48 groups and 98 rules | | Group
@@ -167,7 +167,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -296,7 +296,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -449,7 +449,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | | Group
@@ -175,7 +175,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -328,7 +328,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -421,7 +421,11 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-83445-7 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -534,7 +534,52 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-87524-5 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 71 groups and 148 rules | | Group
@@ -171,7 +171,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -300,7 +300,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -424,18 +424,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -561,7 +561,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -129,7 +129,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -267,18 +267,24 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-83442-4 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -323,7 +323,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -417,7 +417,34 @@
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-83452-3 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | | Group
@@ -166,7 +166,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -290,18 +290,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -351,7 +351,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -459,7 +459,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 115 groups and 494 rules | Group
@@ -122,18 +122,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,81 +183,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 113 groups and 490 rules | Group
@@ -128,18 +128,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,81 +189,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 45 groups and 116 rules | Group
@@ -132,7 +132,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -294,7 +294,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -473,7 +473,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 101 groups and 375 rules | Group
@@ -133,7 +133,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -290,7 +290,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -415,7 +415,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 49 groups and 144 rules | Group
@@ -157,7 +157,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -314,7 +314,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -439,7 +439,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -668,7 +668,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,7 +141,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -308,7 +308,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r833192_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -491,7 +491,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::workstation
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | Group
@@ -143,7 +143,15 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r603261_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -310,7 +310,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r646841_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -510,7 +510,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r603261_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -618,7 +618,34 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Remediation Shell script ⇲# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
+readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
+readonly REDHAT_AUXILIARY_FINGERPRINT="43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+
/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,230 +44,230 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
+ BP28(R1) |
+ Uninstall xinetd Package |
- The telnet daemon should be uninstalled.
+ The xinetd package can be removed with the following command:
+
+$ sudo yum erase xinetd
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ Removing the xinetd package decreases the risk of the
+xinetd service's accidental (or intentional) activation.
|
| BP28(R1) |
- Uninstall Sendmail Package |
+ Remove telnet Clients |
- Sendmail is not the default mail transfer agent and is
-not installed by default.
-The sendmail package can be removed with the following command:
-
-$ sudo yum erase sendmail
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
|
- The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 7.
|
| BP28(R1) |
- Uninstall talk Package |
+ Uninstall tftp-server Package |
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
+ The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+ Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
|
| BP28(R1) |
- Uninstall rsh Package |
+ Remove NIS Client |
-
-The rsh package contains the client commands
-
-for the rsh services
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
| BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall Sendmail Package |
- The telnet-server package can be removed with the following command:
+ Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase sendmail
|
- It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+ The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
|
| BP28(R1) |
- Remove tftp Daemon |
+ Uninstall ypserv Package |
- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
+ The ypserv package can be removed with the following command:
+
+$ sudo yum erase ypserv
|
- It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
+ The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
| BP28(R1) |
- Remove NIS Client |
+ Uninstall talk Package |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
|
- | BP28(R1) |
- Uninstall tftp-server Package |
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
- The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ The telnet daemon should be uninstalled.
|
- Removing the tftp-server package decreases the risk of the accidental
/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,23 +44,6 @@
|
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
-
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
- |
-
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- |
-
-
3.1.1
3.1.6 |
Direct root Logins Not Allowed |
@@ -87,6 +70,55 @@
|
+ | 3.1.1 |
+ Disable GDM Guest Login |
+
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Virtual Console Root Logins |
+
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ |
+
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
+
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
+ |
+
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+ |
+
+
3.1.1
3.1.5 |
Disable SSH Root Login |
@@ -129,20 +161,62 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ |
+
+
+ 3.1.1
3.4.5 |
+ Require Authentication for Single User Mode |
+
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
+ |
+
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+ |
+
+
+ 3.1.1
3.4.5 |
+ Require Authentication for Emergency Systemd Target |
+
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
+ |
+
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
|
@@ -183,92 +257,94 @@
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
-
- To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
- |
-
- Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.
- |
-
-
- 3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ 3.1.2 |
+ Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ By default, GNOME will reboot the system if the
+Ctrl-Alt-Del key sequence is pressed.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+To configure the system to ignore the Ctrl-Alt-Del key sequence
+from the Graphical User Interface (GUI) instead of rebooting the system,
+add or set logout to '' in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/settings-daemon/plugins/media-keys]
+logout=''
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
+user modification. For example:
+/org/gnome/settings-daemon/plugins/media-keys/logout
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,59 +44,31 @@
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Attempts to Alter Process and Session Initiation Information |
-
- The audit system already collects process information for all
-users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
- |
-
- Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Access Attempts to Files - open_by_handle_at |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
@@ -125,116 +97,124 @@
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - chown |
+ Ensure auditd Collects File Deletion Events by User - unlinkat |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured to
-use the augenrules program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Record Any Attempts to Run setfiles |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+ At a minimum, the audit system should collect any execution attempt
+of the setfiles command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
+utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fsetxattr |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Record attempts to alter time through settimeofday |
- The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
|
AGD_PRE.1
AGD_OPE.1 |
+ Install openscap-scanner Package |
+
+ The openscap-scanner package can be installed with the following command:
+
+$ sudo yum install openscap-scanner
+ |
+
+ openscap-scanner contains the oscap command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
+ |
+
+
+ AGD_PRE.1
AGD_OPE.1 |
Install scap-security-guide Package |
The scap-security-guide package can be installed with the following command:
@@ -64,39 +78,17 @@
|
- AGD_PRE.1
AGD_OPE.1 |
- Install openscap-scanner Package |
-
- The openscap-scanner package can be installed with the following command:
-
-$ sudo yum install openscap-scanner
- |
-
- openscap-scanner contains the oscap command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
- |
-
-
| FAU_GEN.1 |
- Enable auditd Service |
+ Set number of records to cause an explicit flush to audit logs |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ To configure Audit daemon to issue an explicit flush to disk command
+after writing 50 records, set freq to 50
+in /etc/audit/auditd.conf.
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+ If option freq isn't set to , the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
|
@@ -122,104 +114,114 @@
| FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Include Local Events in Audit Logs |
- To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
|
- Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+ If option local_events isn't set to yes only events from
+network will be aggregated.
|
| FAU_GEN.1 |
- Include Local Events in Audit Logs |
+ Ensure the audit Subsystem is Installed |
- To configure Audit daemon to include local events in Audit logs, set
-local_events to yes in /etc/audit/auditd.conf.
-This is the default setting.
+ The audit package should be installed.
|
- If option local_events isn't set to yes only events from
-network will be aggregated.
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
|
| FAU_GEN.1 |
- Set number of records to cause an explicit flush to audit logs |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
- To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set freq to 50
-in /etc/audit/auditd.conf.
+ To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
- If option freq isn't set to , the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.
+ Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
| FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ Enable auditd Service |
- The audit package should be installed.
+ The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
|
- The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
|
| FAU_GEN.1.1.c |
- Record Attempts to Alter Process and Session Initiation Information |
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
- The audit system already collects process information for all
-users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -61,51 +61,6 @@
|
| Req-6.2 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
- To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
- Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
- | Req-6.2 |
- Ensure gpgcheck Enabled In Main yum Configuration |
-
- The gpgcheck option controls whether
-RPM packages' signatures are always checked prior to installation.
-To configure yum to check package signatures before installing
-them, ensure the following line appears in /etc/yum.conf in
-the [main] section:
-gpgcheck=1
- |
-
- Changes to any software components can have significant effects on the
-overall security of the operating system. This requirement ensures the
-software has not been tampered with and that it has been provided by a
-trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system
-components must be signed with a certificate recognized and approved by the
-organization.
-
Verifying the authenticity of the software prior to installation
-validates the integrity of the patch or upgrade received from a vendor.
-This ensures the software has not been tampered with and that it has been
-provided by a trusted vendor. Self-signed certificates are disallowed by
-this requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA).
- |
-
-
- | Req-6.2 |
Ensure Oracle Linux GPG Key Installed |
To ensure the system can cryptographically verify base software
@@ -156,19 +111,63 @@
|
+ | Req-6.2 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+ To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+ Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | Req-6.2 |
+ Ensure gpgcheck Enabled In Main yum Configuration |
+
+ The gpgcheck option controls whether
+RPM packages' signatures are always checked prior to installation.
+To configure yum to check package signatures before installing
+them, ensure the following line appears in /etc/yum.conf in
+the [main] section:
+gpgcheck=1
+ |
+
+ Changes to any software components can have significant effects on the
+overall security of the operating system. This requirement ensures the
+software has not been tampered with and that it has been provided by a
+trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system
+components must be signed with a certificate recognized and approved by the
+organization.
+
Verifying the authenticity of the software prior to installation
+validates the integrity of the patch or upgrade received from a vendor.
+This ensures the software has not been tampered with and that it has been
+provided by a trusted vendor. Self-signed certificates are disallowed by
+this requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA).
+ |
+
+
| Req-7.1 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
@@ -189,14 +188,14 @@
| Req-7.1 |
- Verify the UEFI Boot Loader grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
- The file /boot/efi/EFI/redhat/grub.cfg should
+ The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
Only root should be able to modify important boot parameters.
@@ -204,17 +203,18 @@
|
| Req-7.1 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify the UEFI Boot Loader grub.cfg Group Ownership |
- The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+ The file /boot/efi/EFI/redhat/grub.cfg should
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
|
- Only root should be able to modify important boot parameters.
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
@@ -294,29 +294,41 @@
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
+ Set SSH Client Alive Count Max |
- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+ The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes an idle timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the idle session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds.
|
- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+ This ensures a user login will be terminated as soon as the ClientAliveInterval
/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,230 +44,230 @@
|
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
+ BP28(R1) |
+ Uninstall xinetd Package |
- The telnet daemon should be uninstalled.
+ The xinetd package can be removed with the following command:
+
+$ sudo yum erase xinetd
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ Removing the xinetd package decreases the risk of the
+xinetd service's accidental (or intentional) activation.
|
| BP28(R1) |
- Uninstall Sendmail Package |
+ Remove telnet Clients |
- Sendmail is not the default mail transfer agent and is
-not installed by default.
-The sendmail package can be removed with the following command:
-
-$ sudo yum erase sendmail
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
|
- The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 8.
|
| BP28(R1) |
- Uninstall talk Package |
+ Uninstall tftp-server Package |
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
+ The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+ Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
|
| BP28(R1) |
- Uninstall rsh Package |
+ Remove NIS Client |
-
-The rsh package contains the client commands
-
-for the rsh services
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
| BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall Sendmail Package |
- The telnet-server package can be removed with the following command:
+ Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase sendmail
|
- It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+ The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
|
| BP28(R1) |
- Remove tftp Daemon |
+ Uninstall ypserv Package |
- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
+ The ypserv package can be removed with the following command:
+
+$ sudo yum erase ypserv
|
- It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
+ The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
| BP28(R1) |
- Remove NIS Client |
+ Uninstall talk Package |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
|
- | BP28(R1) |
- Uninstall tftp-server Package |
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
- The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ The telnet daemon should be uninstalled.
|
- Removing the tftp-server package decreases the risk of the accidental
/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,23 +44,6 @@
|
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
-
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
- |
-
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- |
-
-
3.1.1
3.1.6 |
Direct root Logins Not Allowed |
@@ -87,6 +70,55 @@
|
+ | 3.1.1 |
+ Disable GDM Guest Login |
+
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Virtual Console Root Logins |
+
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ |
+
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
+
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
+ |
+
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+ |
+
+
3.1.1
3.1.5 |
Disable SSH Root Login |
@@ -129,20 +161,62 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ |
+
+
+ 3.1.1
3.4.5 |
+ Require Authentication for Single User Mode |
+
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
+ |
+
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+ |
+
+
+ 3.1.1
3.4.5 |
+ Require Authentication for Emergency Systemd Target |
+
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
+ |
+
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
|
@@ -183,92 +257,94 @@
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
-
- To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
- |
-
- Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.
- |
-
-
- 3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ 3.1.2 |
+ Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ By default, GNOME will reboot the system if the
+Ctrl-Alt-Del key sequence is pressed.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+To configure the system to ignore the Ctrl-Alt-Del key sequence
+from the Graphical User Interface (GUI) instead of rebooting the system,
+add or set logout to '' in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/settings-daemon/plugins/media-keys]
+logout=''
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
+user modification. For example:
+/org/gnome/settings-daemon/plugins/media-keys/logout
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,59 +44,31 @@
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Attempts to Alter Process and Session Initiation Information |
-
- The audit system already collects process information for all
-users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
- |
-
- Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Access Attempts to Files - open_by_handle_at |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
@@ -125,160 +97,41 @@
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - chown |
+ Ensure auditd Collects File Deletion Events by User - unlinkat |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured to
-use the augenrules program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Record Any Attempts to Run setfiles |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+ At a minimum, the audit system should collect any execution attempt
+of the setfiles command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
- |
-
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fsetxattr |
-
- The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
- |
-
- Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- AC-2(g)
AU-3
AU-10
AU-2(d)
AU-12(c)
AU-14(1)
AC-6(9)
CM-6(a)
SI-4(23) |
- Enable auditd Service |
-
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
- |
-
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -61,51 +61,6 @@
|
| Req-6.2 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
- To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
- Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
- | Req-6.2 |
- Ensure gpgcheck Enabled In Main yum Configuration |
-
- The gpgcheck option controls whether
-RPM packages' signatures are always checked prior to installation.
-To configure yum to check package signatures before installing
-them, ensure the following line appears in /etc/yum.conf in
-the [main] section:
-gpgcheck=1
- |
-
- Changes to any software components can have significant effects on the
-overall security of the operating system. This requirement ensures the
-software has not been tampered with and that it has been provided by a
-trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system
-components must be signed with a certificate recognized and approved by the
-organization.
-
Verifying the authenticity of the software prior to installation
-validates the integrity of the patch or upgrade received from a vendor.
-This ensures the software has not been tampered with and that it has been
-provided by a trusted vendor. Self-signed certificates are disallowed by
-this requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA).
- |
-
-
- | Req-6.2 |
Ensure Oracle Linux GPG Key Installed |
To ensure the system can cryptographically verify base software
@@ -156,19 +111,63 @@
|
+ | Req-6.2 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+ To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+ Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | Req-6.2 |
+ Ensure gpgcheck Enabled In Main yum Configuration |
+
+ The gpgcheck option controls whether
+RPM packages' signatures are always checked prior to installation.
+To configure yum to check package signatures before installing
+them, ensure the following line appears in /etc/yum.conf in
+the [main] section:
+gpgcheck=1
+ |
+
+ Changes to any software components can have significant effects on the
+overall security of the operating system. This requirement ensures the
+software has not been tampered with and that it has been provided by a
+trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system
+components must be signed with a certificate recognized and approved by the
+organization.
+
Verifying the authenticity of the software prior to installation
+validates the integrity of the patch or upgrade received from a vendor.
+This ensures the software has not been tampered with and that it has been
+provided by a trusted vendor. Self-signed certificates are disallowed by
+this requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA).
+ |
+
+
| Req-7.1 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
@@ -189,14 +188,14 @@
| Req-7.1 |
- Verify the UEFI Boot Loader grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
- The file /boot/efi/EFI/redhat/grub.cfg should
+ The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
Only root should be able to modify important boot parameters.
@@ -204,17 +203,18 @@
|
| Req-7.1 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify the UEFI Boot Loader grub.cfg Group Ownership |
- The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+ The file /boot/efi/EFI/redhat/grub.cfg should
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
|
- Only root should be able to modify important boot parameters.
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
@@ -294,29 +294,41 @@
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
+ Set SSH Client Alive Count Max |
- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+ The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes an idle timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the idle session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds.
|
- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+ This ensures a user login will be terminated as soon as the ClientAliveInterval
/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,59 +44,31 @@
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Attempts to Alter Process and Session Initiation Information |
-
- The audit system already collects process information for all
-users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
- |
-
- Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Access Attempts to Files - open_by_handle_at |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
@@ -125,188 +97,41 @@
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - chown |
+ Ensure auditd Collects File Deletion Events by User - unlinkat |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured to
-use the augenrules program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Record Any Attempts to Run setfiles |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+ At a minimum, the audit system should collect any execution attempt
+of the setfiles command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
- |
-
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fsetxattr |
-
- The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
+-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
- |
-
- Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- AC-2(g)
AU-3
AU-10
AU-2(d)
AU-12(c)
AU-14(1)
AC-6(9)
CM-6(a)
SI-4(23) |
- Enable auditd Service |
-
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following manifest:
-
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
- labels:
- machineconfiguration.openshift.io/role: master
- name: 75-master-auditd-enable
-spec:
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,230 +44,230 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
+ BP28(R1) |
+ Uninstall xinetd Package |
- The telnet daemon should be uninstalled.
+ The xinetd package can be removed with the following command:
+
+$ sudo yum erase xinetd
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ Removing the xinetd package decreases the risk of the
+xinetd service's accidental (or intentional) activation.
|
| BP28(R1) |
- Uninstall Sendmail Package |
+ Remove telnet Clients |
- Sendmail is not the default mail transfer agent and is
-not installed by default.
-The sendmail package can be removed with the following command:
-
-$ sudo yum erase sendmail
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
|
- The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 7.
|
| BP28(R1) |
- Uninstall talk Package |
+ Uninstall tftp-server Package |
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
+ The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+ Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
|
| BP28(R1) |
- Uninstall rsh Package |
+ Remove NIS Client |
-
-The rsh package contains the client commands
-
-for the rsh services
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
| BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall Sendmail Package |
- The telnet-server package can be removed with the following command:
+ Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase sendmail
|
- It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+ The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
|
| BP28(R1) |
- Remove tftp Daemon |
+ Uninstall ypserv Package |
- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
+ The ypserv package can be removed with the following command:
+
+$ sudo yum erase ypserv
|
- It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
+ The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
| BP28(R1) |
- Remove NIS Client |
+ Uninstall talk Package |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
|
- | BP28(R1) |
- Uninstall tftp-server Package |
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
- The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ The telnet daemon should be uninstalled.
|
- Removing the tftp-server package decreases the risk of the accidental
/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -688,18 +688,6 @@
|
| 1.3.1 |
- Install AIDE |
-
- The aide package can be installed with the following command:
-
-$ sudo yum install aide
- |
-
- The AIDE package must be installed if it is to be available for integrity checking.
- |
-
-
- | 1.3.1 |
Build and Test AIDE Database |
Run the following command to generate a new database:
@@ -727,6 +715,18 @@
|
+ | 1.3.1 |
+ Install AIDE |
+
+ The aide package can be installed with the following command:
+
+$ sudo yum install aide
+ |
+
+ The AIDE package must be installed if it is to be available for integrity checking.
+ |
+
+
| 1.3.2 |
Configure Periodic Execution of AIDE |
@@ -801,18 +801,17 @@
|
| 1.4.2 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
@@ -847,28 +846,14 @@
| 1.4.2 |
- Verify /boot/grub2/grub.cfg Permissions |
-
- File permissions for /boot/grub2/grub.cfg should be set to 600.
-
-To properly set the permissions of /boot/grub2/grub.cfg, run the command:
-$ sudo chmod 600 /boot/grub2/grub.cfg
- |
-
- Proper permissions ensure that only the root user can modify important boot
-parameters.
- |
-
-
- | 1.4.2 |
- Verify the UEFI Boot Loader grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
- The file /boot/efi/EFI/redhat/grub.cfg should
+ The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
Only root should be able to modify important boot parameters.
@@ -876,34 +861,32 @@
|
| 1.4.2 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify the UEFI Boot Loader grub.cfg Group Ownership |
- The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+ The file /boot/efi/EFI/redhat/grub.cfg should
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
|
- Only root should be able to modify important boot parameters.
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
- | 1.4.3 |
- Require Authentication for Emergency Systemd Target |
+ 1.4.2 |
+ Verify /boot/grub2/grub.cfg Permissions |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+ File permissions for /boot/grub2/grub.cfg should be set to 600.
+
+To properly set the permissions of /boot/grub2/grub.cfg, run the command:
+$ sudo chmod 600 /boot/grub2/grub.cfg
|
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+ Proper permissions ensure that only the root user can modify important boot
+parameters.
|
@@ -924,33 +907,39 @@
- | 1.5.1 |
- Disable Core Dumps for SUID programs |
+ 1.4.3 |
+ Require Authentication for Emergency Systemd Target |
- To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
- The core dump of a setuid program is more likely to contain
-sensitive data, as the program itself runs with greater privileges than the
-user who initiated execution of the program. Disabling the ability for any
-setuid program to write a core file decreases the risk of unauthorized access
-of such data.
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
|
| 1.5.1 |
- Disable storing core dump |
+ Disable core dump backtraces |
- The Storage option in [Coredump] section
+ The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
-can be set to none to disable storing core dumps permanently.
+specifies the maximum size in bytes of a core which will be processed.
+Core dumps exceeding this size may be stored, but the backtrace will not
+be generated.
|
A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
-debug problems. Enabling core dumps on production systems is not recommended,
+debug problems.
+
+Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,23 +44,6 @@
|
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
-
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
- |
-
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- |
-
-
3.1.1
3.1.6 |
Direct root Logins Not Allowed |
@@ -87,6 +70,55 @@
|
+ | 3.1.1 |
+ Disable GDM Guest Login |
+
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Virtual Console Root Logins |
+
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ |
+
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
+
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
+ |
+
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+ |
+
+
3.1.1
3.1.5 |
Disable SSH Root Login |
@@ -129,20 +161,62 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ |
+
+
+ 3.1.1
3.4.5 |
+ Require Authentication for Single User Mode |
+
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
+ |
+
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+ |
+
+
+ 3.1.1
3.4.5 |
+ Require Authentication for Emergency Systemd Target |
+
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
+ |
+
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
|
@@ -183,92 +257,94 @@
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
-
- To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
- |
-
- Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.
- |
-
-
- 3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ 3.1.2 |
+ Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ By default, GNOME will reboot the system if the
+Ctrl-Alt-Del key sequence is pressed.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+To configure the system to ignore the Ctrl-Alt-Del key sequence
+from the Graphical User Interface (GUI) instead of rebooting the system,
+add or set logout to '' in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/settings-daemon/plugins/media-keys]
+logout=''
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
+user modification. For example:
+/org/gnome/settings-daemon/plugins/media-keys/logout
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,59 +44,31 @@
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Attempts to Alter Process and Session Initiation Information |
-
- The audit system already collects process information for all
-users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
- |
-
- Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Access Attempts to Files - open_by_handle_at |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
@@ -125,116 +97,124 @@
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - chown |
+ Ensure auditd Collects File Deletion Events by User - unlinkat |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured to
-use the augenrules program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Record Any Attempts to Run setfiles |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+ At a minimum, the audit system should collect any execution attempt
+of the setfiles command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
+utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fsetxattr |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Record attempts to alter time through settimeofday |
- The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
|
AGD_PRE.1
AGD_OPE.1 |
+ Install openscap-scanner Package |
+
+ The openscap-scanner package can be installed with the following command:
+
+$ sudo yum install openscap-scanner
+ |
+
+ openscap-scanner contains the oscap command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
+ |
+
+
+ AGD_PRE.1
AGD_OPE.1 |
Install scap-security-guide Package |
The scap-security-guide package can be installed with the following command:
@@ -64,39 +78,17 @@
|
- AGD_PRE.1
AGD_OPE.1 |
- Install openscap-scanner Package |
-
- The openscap-scanner package can be installed with the following command:
-
-$ sudo yum install openscap-scanner
- |
-
- openscap-scanner contains the oscap command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
- |
-
-
| FAU_GEN.1 |
- Enable auditd Service |
+ Set number of records to cause an explicit flush to audit logs |
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
+ To configure Audit daemon to issue an explicit flush to disk command
+after writing 50 records, set freq to 50
+in /etc/audit/auditd.conf.
|
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.
+ If option freq isn't set to , the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
|
@@ -122,104 +114,114 @@
| FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Include Local Events in Audit Logs |
- To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
|
- Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+ If option local_events isn't set to yes only events from
+network will be aggregated.
|
| FAU_GEN.1 |
- Include Local Events in Audit Logs |
+ Ensure the audit Subsystem is Installed |
- To configure Audit daemon to include local events in Audit logs, set
-local_events to yes in /etc/audit/auditd.conf.
-This is the default setting.
+ The audit package should be installed.
|
- If option local_events isn't set to yes only events from
-network will be aggregated.
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
|
| FAU_GEN.1 |
- Set number of records to cause an explicit flush to audit logs |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
- To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set freq to 50
-in /etc/audit/auditd.conf.
+ To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
- If option freq isn't set to , the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.
+ Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
| FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ Enable auditd Service |
- The audit package should be installed.
+ The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
|
- The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
|
| FAU_GEN.1.1.c |
- Record Attempts to Alter Process and Session Initiation Information |
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
- The audit system already collects process information for all
-users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -90,6 +90,29 @@
|
| Req-6.2 |
+ Ensure Software Patches Installed |
+
+
+If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
+or a yum server, run the following command to install updates:
+$ sudo yum update
+If the system is not configured to use one of these sources, updates (in the form of RPM packages)
+can be manually downloaded from the Red Hat Network and installed using rpm.
+
+
+NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
+dictates.
+ |
+
+ Installing software updates is a fundamental mitigation against
+the exploitation of publicly-known vulnerabilities. If the most
+recent security patches and updates are not installed, unauthorized
+users may take advantage of weaknesses in the unpatched software. The
+lack of prompt attention to patching could result in a system compromise.
+ |
+
+
+ | Req-6.2 |
Ensure gpgcheck Enabled for All yum Package Repositories |
To ensure signature checking is not disabled for
@@ -134,42 +157,18 @@
|
- | Req-6.2 |
- Ensure Software Patches Installed |
-
-
-If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
-or a yum server, run the following command to install updates:
-$ sudo yum update
-If the system is not configured to use one of these sources, updates (in the form of RPM packages)
-can be manually downloaded from the Red Hat Network and installed using rpm.
-
-
-NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
-dictates.
- |
-
- Installing software updates is a fundamental mitigation against
-the exploitation of publicly-known vulnerabilities. If the most
-recent security patches and updates are not installed, unauthorized
-users may take advantage of weaknesses in the unpatched software. The
-lack of prompt attention to patching could result in a system compromise.
- |
-
-
| Req-7.1 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
@@ -190,14 +189,14 @@
| Req-7.1 |
- Verify the UEFI Boot Loader grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
- The file /boot/efi/EFI/redhat/grub.cfg should
+ The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
Only root should be able to modify important boot parameters.
@@ -205,17 +204,18 @@
|
| Req-7.1 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify the UEFI Boot Loader grub.cfg Group Ownership |
- The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+ The file /boot/efi/EFI/redhat/grub.cfg should
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
|
- Only root should be able to modify important boot parameters.
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
@@ -295,29 +295,41 @@
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
+ Set SSH Client Alive Count Max |
- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+ The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes an idle timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the idle session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds.
|
- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+ This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Idle Activation |
+ Enable GNOME3 Screensaver Lock After Idle Period |
- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings.
+
+To activate locking of the screensaver in the GNOME3 desktop when it is activated,
+add or set lock-enabled to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+lock-enabled=true
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
-/org/gnome/desktop/screensaver/idle-activation-enabled
+/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
|
@@ -327,49 +339,18 @@
|
| Req-8.1.8 |
- Set SSH Client Alive Count Max to zero |
-
- The SSH server sends at most ClientAliveCountMax messages
-during a SSH session and waits for a response from the SSH client.
-The option ClientAliveInterval configures timeout after
-each ClientAliveCountMax message. If the SSH server does not
-receive a response from the client, then the connection is considered idle
-and terminated.
-
-To ensure the SSH idle timeout occurs precisely when the
-ClientAliveInterval is set, set the ClientAliveCountMax to
-value of 0 in
-
-
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,230 +44,230 @@
|
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
+ BP28(R1) |
+ Uninstall xinetd Package |
- The telnet daemon should be uninstalled.
+ The xinetd package can be removed with the following command:
+
+$ sudo yum erase xinetd
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ Removing the xinetd package decreases the risk of the
+xinetd service's accidental (or intentional) activation.
|
| BP28(R1) |
- Uninstall Sendmail Package |
+ Remove telnet Clients |
- Sendmail is not the default mail transfer agent and is
-not installed by default.
-The sendmail package can be removed with the following command:
-
-$ sudo yum erase sendmail
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
|
- The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux. Postfix
-should be used instead.
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.
|
| BP28(R1) |
- Uninstall talk Package |
+ Uninstall tftp-server Package |
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
+ The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+ Removing the tftp-server package decreases the risk of the accidental
+(or intentional) activation of tftp services.
+
+If TFTP is required for operational support (such as transmission of router
+configurations), its use must be documented with the Information Systems
+Securty Manager (ISSM), restricted to only authorized personnel, and have
+access control rules established.
|
| BP28(R1) |
- Uninstall rsh Package |
+ Remove NIS Client |
-
-The rsh package contains the client commands
-
-for the rsh services
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
| BP28(R1) |
- Uninstall telnet-server Package |
+ Uninstall Sendmail Package |
- The telnet-server package can be removed with the following command:
+ Sendmail is not the default mail transfer agent and is
+not installed by default.
+The sendmail package can be removed with the following command:
-$ sudo yum erase telnet-server
+$ sudo yum erase sendmail
|
- It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-
-Removing the telnet-server package decreases the risk of the
-telnet service's accidental (or intentional) activation.
+ The sendmail software was not developed with security in mind and
+its design prevents it from being effectively contained by SELinux. Postfix
+should be used instead.
|
| BP28(R1) |
- Remove tftp Daemon |
+ Uninstall ypserv Package |
- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-tftp is a client program that allows for connections to a tftp server.
+ The ypserv package can be removed with the following command:
+
+$ sudo yum erase ypserv
|
- It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
+ The NIS service provides an unencrypted authentication service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session.
+
+Removing the ypserv package decreases the risk of the accidental
+(or intentional) activation of NIS or NIS+ services.
|
| BP28(R1) |
- Remove NIS Client |
+ Uninstall talk Package |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
|
- | BP28(R1) |
- Uninstall tftp-server Package |
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
- The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
+ The telnet daemon should be uninstalled.
|
- Removing the tftp-server package decreases the risk of the accidental
/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -724,22 +724,6 @@
|
| 1.2.3 |
- Enable authselect |
-
- Configure user authentication setup to use the authselect tool.
-If authselect profile is selected, the rule will enable the minimal profile.
- |
-
- Authselect is a successor to authconfig.
-It is a tool to select system authentication and identity sources from a list of supported
-profiles instead of letting the administrator manually build the PAM stack.
-
-That way, it avoids potential breakage of configuration, as it ships several tested profiles
-that are well tested and supported to solve different use-cases.
- |
-
-
- | 1.2.3 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -767,15 +751,19 @@
|
- | 1.3.1 |
- Install AIDE |
+ 1.2.3 |
+ Enable authselect |
- The aide package can be installed with the following command:
-
-$ sudo yum install aide
+ Configure user authentication setup to use the authselect tool.
+If authselect profile is selected, the rule will enable the minimal profile.
|
- The AIDE package must be installed if it is to be available for integrity checking.
+ Authselect is a successor to authconfig.
+It is a tool to select system authentication and identity sources from a list of supported
+profiles instead of letting the administrator manually build the PAM stack.
+
+That way, it avoids potential breakage of configuration, as it ships several tested profiles
+that are well tested and supported to solve different use-cases.
|
@@ -807,6 +795,18 @@
+ | 1.3.1 |
+ Install AIDE |
+
+ The aide package can be installed with the following command:
+
+$ sudo yum install aide
+ |
+
+ The AIDE package must be installed if it is to be available for integrity checking.
+ |
+
+
| 1.3.2 |
Configure Periodic Execution of AIDE |
@@ -881,18 +881,17 @@
|
| 1.4.2 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
@@ -927,58 +926,59 @@
| 1.4.2 |
- Verify /boot/grub2/grub.cfg Permissions |
+ Verify /boot/grub2/grub.cfg User Ownership |
- File permissions for /boot/grub2/grub.cfg should be set to 600.
+ The file /boot/grub2/grub.cfg should
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the permissions of /boot/grub2/grub.cfg, run the command:
-$ sudo chmod 600 /boot/grub2/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
- Proper permissions ensure that only the root user can modify important boot
-parameters.
+ Only root should be able to modify important boot parameters.
|
| 1.4.2 |
- Verify the UEFI Boot Loader grub.cfg User Ownership |
+ Verify the UEFI Boot Loader grub.cfg Group Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
|
- Only root should be able to modify important boot parameters.
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
| 1.4.2 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg Permissions |
- The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+ File permissions for /boot/grub2/grub.cfg should be set to 600.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the permissions of /boot/grub2/grub.cfg, run the command:
+$ sudo chmod 600 /boot/grub2/grub.cfg
|
- Only root should be able to modify important boot parameters.
+ Proper permissions ensure that only the root user can modify important boot
+parameters.
|
| 1.4.3 |
- Require Authentication for Emergency Systemd Target |
+ Require Authentication for Single User Mode |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
|
This prevents attackers with physical access from trivially bypassing security
@@ -988,14 +988,14 @@
|
| 1.4.3 |
- Require Authentication for Single User Mode |
+ Require Authentication for Emergency Systemd Target |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
|
/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,23 +44,6 @@
|
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
-
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
- |
-
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
- |
-
-
3.1.1
3.1.6 |
Direct root Logins Not Allowed |
@@ -87,6 +70,55 @@
|
+ | 3.1.1 |
+ Disable GDM Guest Login |
+
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Virtual Console Root Logins |
+
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ |
+
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ |
+
+
+ 3.1.1
3.1.5 |
+ Restrict Serial Port Root Logins |
+
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
+ |
+
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+ |
+
+
3.1.1
3.1.5 |
Disable SSH Root Login |
@@ -129,20 +161,62 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Disable SSH Access via Empty Passwords |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ |
+
+
+ 3.1.1
3.4.5 |
+ Require Authentication for Single User Mode |
+
+ Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+
+By default, single-user mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/rescue.service.
+ |
+
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+ |
+
+
+ 3.1.1
3.4.5 |
+ Require Authentication for Emergency Systemd Target |
+
+ Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+
+By default, Emergency mode is protected by requiring a password and is set
+in /usr/lib/systemd/system/emergency.service.
+ |
+
+ This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
|
@@ -183,92 +257,94 @@
- 3.1.1
3.1.5 |
- Restrict Virtual Console Root Logins |
-
- To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in /etc/securetty:
-vc/1
-vc/2
-vc/3
-vc/4
- |
-
- Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.
- |
-
-
- 3.1.1
3.4.5 |
- Require Authentication for Single User Mode |
+ 3.1.2 |
+ Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 |
- Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
+ By default, GNOME will reboot the system if the
+Ctrl-Alt-Del key sequence is pressed.
-By default, single-user mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/rescue.service.
+To configure the system to ignore the Ctrl-Alt-Del key sequence
+from the Graphical User Interface (GUI) instead of rebooting the system,
+add or set logout to '' in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/settings-daemon/plugins/media-keys]
+logout=''
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
+user modification. For example:
+/org/gnome/settings-daemon/plugins/media-keys/logout
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -44,59 +44,31 @@
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Attempts to Alter Process and Session Initiation Information |
-
- The audit system already collects process information for all
-users and root. If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file in order to watch for attempted manual
-edits of files involved in storing such process information:
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
- |
-
- Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Access Attempts to Files - open_by_handle_at |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
|
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
|
@@ -125,160 +97,41 @@
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - chown |
+ Ensure auditd Collects File Deletion Events by User - unlinkat |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured to
-use the augenrules program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix .rules in
-the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
|
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - fchownat |
+ AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
+ Record Any Attempts to Run setfiles |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+ At a minimum, the audit system should collect any execution attempt
+of the setfiles command for all users and root. If the auditd
+daemon is configured to use the augenrules program to read audit rules
+during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
- |
-
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
- |
-
-
- AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fsetxattr |
-
- The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the auditd daemon is configured
-to use the augenrules program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-.rules in the directory /etc/audit/rules.d.
+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
- |
-
- Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- AC-2(g)
AU-3
AU-10
AU-2(d)
AU-12(c)
AU-14(1)
AC-6(9)
CM-6(a)
SI-4(23) |
- Enable auditd Service |
-
- The auditd service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The auditd service can be enabled with the following command:
-$ sudo systemctl enable auditd.service
- |
-
- Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the auditd service is active ensures audit records
-generated by the kernel are appropriately recorded.
-
-Additionally, a properly configured audit subsystem ensures that actions of
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2022-10-01 00:00:00.000000000 +0000
@@ -90,6 +90,29 @@
|
| Req-6.2 |
+ Ensure Software Patches Installed |
+
+
+If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
+or a yum server, run the following command to install updates:
+$ sudo yum update
+If the system is not configured to use one of these sources, updates (in the form of RPM packages)
+can be manually downloaded from the Red Hat Network and installed using rpm.
+
+
+NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
+dictates.
+ |
+
+ Installing software updates is a fundamental mitigation against
+the exploitation of publicly-known vulnerabilities. If the most
+recent security patches and updates are not installed, unauthorized
+users may take advantage of weaknesses in the unpatched software. The
+lack of prompt attention to patching could result in a system compromise.
+ |
+
+
+ | Req-6.2 |
Ensure gpgcheck Enabled for All yum Package Repositories |
To ensure signature checking is not disabled for
@@ -134,42 +157,18 @@
|
- | Req-6.2 |
- Ensure Software Patches Installed |
-
-
-If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
-or a yum server, run the following command to install updates:
-$ sudo yum update
-If the system is not configured to use one of these sources, updates (in the form of RPM packages)
-can be manually downloaded from the Red Hat Network and installed using rpm.
-
-
-NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
-dictates.
- |
-
- Installing software updates is a fundamental mitigation against
-the exploitation of publicly-known vulnerabilities. If the most
-recent security patches and updates are not installed, unauthorized
-users may take advantage of weaknesses in the unpatched software. The
-lack of prompt attention to patching could result in a system compromise.
- |
-
-
| Req-7.1 |
- Verify the UEFI Boot Loader grub.cfg Group Ownership |
+ Verify the UEFI Boot Loader grub.cfg User Ownership |
The file /boot/efi/EFI/redhat/grub.cfg should
-be group-owned by the root group to prevent
-destruction or modification of the file.
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway.
+ Only root should be able to modify important boot parameters.
|
@@ -190,14 +189,14 @@
| Req-7.1 |
- Verify the UEFI Boot Loader grub.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
- The file /boot/efi/EFI/redhat/grub.cfg should
+ The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
-To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
-$ sudo chown root /boot/efi/EFI/redhat/grub.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
Only root should be able to modify important boot parameters.
@@ -205,17 +204,18 @@
|
| Req-7.1 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify the UEFI Boot Loader grub.cfg Group Ownership |
- The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+ The file /boot/efi/EFI/redhat/grub.cfg should
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
+$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
|
- Only root should be able to modify important boot parameters.
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
@@ -295,29 +295,41 @@
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period |
+ Set SSH Client Alive Count Max |
- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/lock-enabled
-to /etc/dconf/db/local.d/00-security-settings.
-For example:
-/org/gnome/desktop/screensaver/lock-enabled
-After the settings have been set, run dconf update.
+ The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered idle
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes an idle timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the idle session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds.
|
- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
-of the information system but does not want to logout because of the temporary nature of the absense.
+ This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
|
| Req-8.1.8 |
- Ensure Users Cannot Change GNOME3 Screensaver Idle Activation |
+ Enable GNOME3 Screensaver Lock After Idle Period |
- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
-by adding /org/gnome/desktop/screensaver/idle-activation-enabled
-to /etc/dconf/db/local.d/00-security-settings.
+
+To activate locking of the screensaver in the GNOME3 desktop when it is activated,
+add or set lock-enabled to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+lock-enabled=true
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
-/org/gnome/desktop/screensaver/idle-activation-enabled
+/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
|
@@ -327,49 +339,18 @@
|
| Req-8.1.8 |
- Set SSH Client Alive Count Max to zero |
-
- The SSH server sends at most ClientAliveCountMax messages
-during a SSH session and waits for a response from the SSH client.
-The option ClientAliveInterval configures timeout after
-each ClientAliveCountMax message. If the SSH server does not
-receive a response from the client, then the connection is considered idle
-and terminated.
-
-To ensure the SSH idle timeout occurs precisely when the
-ClientAliveInterval is set, set the ClientAliveCountMax to
-value of 0 in
-
-
/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 7
+1DISA STIG for Red Hat Enterprise Linux 7
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux V3R8.
/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 8
+1DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux 8 V1R7.
/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -160,7 +160,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -213,38 +213,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -252,87 +249,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -340,29 +335,34 @@
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -162,7 +162,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -215,38 +215,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -254,87 +251,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -342,29 +337,34 @@
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,38 +51,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -90,87 +87,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -178,29 +173,34 @@
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -208,7 +208,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -261,64 +261,71 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -326,46 +333,43 @@
-
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -373,40 +377,36 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -210,7 +210,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -263,64 +263,71 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -328,46 +335,43 @@
-
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -375,40 +379,36 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -51,64 +51,71 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -116,46 +123,43 @@
-
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -163,40 +167,36 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -152,7 +152,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -205,14 +205,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -225,25 +241,19 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -251,61 +261,55 @@
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -313,35 +317,36 @@
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -154,7 +154,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -207,14 +207,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -227,25 +243,19 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -253,61 +263,55 @@
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -315,35 +319,36 @@
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -51,14 +51,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -71,25 +87,19 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -97,61 +107,55 @@
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -159,35 +163,36 @@
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -144,7 +144,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -187,24 +187,20 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -212,96 +208,100 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
@@ -309,24 +309,24 @@
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -144,7 +144,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -187,24 +187,20 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -212,96 +208,100 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
@@ -309,24 +309,24 @@
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,472 +7,460 @@
2022-10-01T00:00:00
-
- Configure server restrictions for ntpd
-
- ocil:ssg-ntpd_configure_restrictions_action:testaction:1
-
-
-
- Disable x86 vsyscall emulation
-
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
-
-
- Enable Public Key Authentication
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Configure SSSD to run as user sssd
+
+ Ensure PAM password complexity module is enabled in system-auth
- ocil:ssg-sssd_run_as_sssd_user_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Ensure All Groups on the System Have Unique Group Names
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-group_unique_name_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Ensure All World-Writable Directories Are Owned by a System Account
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1
-
- Configure GnuTLS library to use DoD-approved TLS Encryption
+
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
- ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1
+ ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Disable vsyscall mapping
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-kernel_config_legacy_vsyscall_none_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Require Credential Prompting for Remote Access in GNOME3
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Record Events that Modify User/Group Information via openat syscall - /etc/group
+
+ Record Unsuccessful Permission Changes to Files - setxattr
- ocil:ssg-audit_rules_etc_group_openat_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
-
- Ensure SELinux Not Disabled in /etc/default/grub
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-grub2_enable_selinux_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Disable ATM Support
+
+ Ensure LDAP client is not installed
- ocil:ssg-kernel_module_atm_disabled_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Uninstall geolite2-city Package
+
+ Authorize USB hubs in USBGuard daemon
- ocil:ssg-package_geolite2-city_removed_action:testaction:1
+ ocil:ssg-usbguard_allow_hub_action:testaction:1
-
- Record Unsuccessful Permission Changes to Files - setxattr
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Set number of Password Hashing Rounds - password-auth
+
+ Enable Logging of All FTP Transactions
- ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1
+ ocil:ssg-ftp_log_transactions_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Configure SSH to use System Crypto Policy
+
+ Record Successful Creation Attempts to Files - open O_CREAT
- ocil:ssg-configure_ssh_crypto_policy_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Enable Kernel Page-Table Isolation (KPTI)
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -43,24 +43,20 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
+
@@ -68,96 +64,100 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
@@ -165,24 +165,24 @@
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -136,7 +136,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -179,19 +179,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -199,101 +195,100 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -301,29 +296,34 @@
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -138,7 +138,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -181,19 +181,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -201,101 +197,100 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -303,29 +298,34 @@
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,394 +7,394 @@
2022-10-01T00:00:00
-
- Disable the abrt_handle_event SELinux Boolean
+
+ Disable Postfix Network Listening
- ocil:ssg-sebool_abrt_handle_event_action:testaction:1
+ ocil:ssg-postfix_network_listening_disabled_action:testaction:1
-
- Disable x86 vsyscall emulation
+
+ Enable the selinuxuser_execmod SELinux Boolean
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1
-
- Enable Public Key Authentication
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable the mount_anyfile SELinux Boolean
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sebool_mount_anyfile_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Ensure All World-Writable Directories Are Owned by a System Account
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1
-
- Disable the xdm_sysadm_login SELinux Boolean
+
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
- ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1
+ ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Require Credential Prompting for Remote Access in GNOME3
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1
-
- Enable the secadm_exec_content SELinux Boolean
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-sebool_secadm_exec_content_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Record Unsuccessful Permission Changes to Files - setxattr
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Uninstall xinetd Package
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Disable Quagga Service
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-service_zebra_disabled_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Ensure LDAP client is not installed
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable the daemons_use_tcp_wrapper SELinux Boolean
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1
-
- Record Events that Modify User/Group Information via openat syscall - /etc/group
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-audit_rules_etc_group_openat_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Ensure SELinux Not Disabled in /etc/default/grub
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-grub2_enable_selinux_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Record Successful Creation Attempts to Files - open O_CREAT
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
-
- Uninstall geolite2-city Package
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-package_geolite2-city_removed_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Record Unsuccessful Permission Changes to Files - setxattr
+
+ Verify ownership of Message of the Day Banner
- ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
+ ocil:ssg-file_owner_etc_motd_action:testaction:1
-
- Set number of Password Hashing Rounds - password-auth
+
+ Disable Kerberos Authentication
- ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Record Any Attempts to Run setfiles
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -43,19 +43,15 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
+
+
-
+
-
+
@@ -63,101 +59,100 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -165,29 +160,34 @@
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -152,7 +152,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -195,44 +195,40 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -240,97 +236,101 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -154,7 +154,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -197,44 +197,40 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -242,97 +238,101 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,574 +7,580 @@
2022-10-01T00:00:00
-
- Disable the abrt_handle_event SELinux Boolean
+
+ Disable Postfix Network Listening
- ocil:ssg-sebool_abrt_handle_event_action:testaction:1
+ ocil:ssg-postfix_network_listening_disabled_action:testaction:1
-
- Disable x86 vsyscall emulation
+
+ Enable the selinuxuser_execmod SELinux Boolean
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1
-
- Enable Public Key Authentication
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Configure SSSD to run as user sssd
+
+ Ensure PAM password complexity module is enabled in system-auth
- ocil:ssg-sssd_run_as_sssd_user_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable the mount_anyfile SELinux Boolean
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sebool_mount_anyfile_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Ensure All World-Writable Directories Are Owned by a System Account
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1
-
- Disable the xdm_sysadm_login SELinux Boolean
+
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
- ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1
+ ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Require Credential Prompting for Remote Access in GNOME3
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1
-
- Enable the secadm_exec_content SELinux Boolean
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-sebool_secadm_exec_content_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Record Unsuccessful Permission Changes to Files - setxattr
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Uninstall xinetd Package
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Configure GnuTLS library to use DoD-approved TLS Encryption
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Disable Quagga Service
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-service_zebra_disabled_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Ensure LDAP client is not installed
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Authorize USB hubs in USBGuard daemon
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-usbguard_allow_hub_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable the daemons_use_tcp_wrapper SELinux Boolean
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1
-
- Record Events that Modify User/Group Information via openat syscall - /etc/group
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-audit_rules_etc_group_openat_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Ensure SELinux Not Disabled in /etc/default/grub
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-grub2_enable_selinux_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Record Successful Creation Attempts to Files - open O_CREAT
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
-
- Disable ATM Support
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-kernel_module_atm_disabled_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Uninstall geolite2-city Package
+
+ Verify ownership of Message of the Day Banner
/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -43,44 +43,40 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -88,97 +84,101 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -171,19 +171,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
-
+
-
+
+
+
+
+
+
@@ -191,87 +197,86 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -279,24 +284,19 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -4630,6 +4630,15 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -130,7 +130,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -173,19 +173,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
-
+
-
+
+
+
+
+
+
@@ -193,87 +199,86 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -281,24 +286,19 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -4632,6 +4632,15 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,316 +7,298 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
-
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
-
-
- Enable Public Key Authentication
-
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
-
-
-
- Verify Permissions on gshadow File
-
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
-
-
-
- Configure Notification of Post-AIDE Scan Details
+
+ Disable Postfix Network Listening
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-postfix_network_listening_disabled_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Enable the selinuxuser_execmod SELinux Boolean
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Ensure PAM password complexity module is enabled in system-auth
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Require Credential Prompting for Remote Access in GNOME3
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1
-
- Ensure SELinux Not Disabled in /etc/default/grub
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-grub2_enable_selinux_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Uninstall xinetd Package
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Disable ATM Support
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-kernel_module_atm_disabled_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Set number of Password Hashing Rounds - password-auth
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Configure SSH to use System Crypto Policy
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-configure_ssh_crypto_policy_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Enable Kernel Page-Table Isolation (KPTI)
+
+ Disable Kerberos Authentication
- ocil:ssg-grub2_pti_argument_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Verify that Interactive Boot is Disabled
+
+ Record Any Attempts to Run setfiles
- ocil:ssg-grub2_disable_interactive_boot_action:testaction:1
+ ocil:ssg-audit_rules_execution_setfiles_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - kmod
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Disable Kernel Image Loading
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Remove the X Windows Package Group
+
+ Enable Randomized Layout of Virtual Address Space
/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -43,19 +43,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
-
+
-
+
+
+
+
+
+
@@ -63,87 +69,86 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
+
-
+
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -151,24 +156,19 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -4502,6 +4502,15 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -124,7 +124,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -167,38 +167,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -206,41 +203,54 @@
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -248,30 +258,25 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -279,24 +284,19 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -124,7 +124,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -167,38 +167,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -206,41 +203,54 @@
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -248,30 +258,25 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -279,24 +284,19 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,118 +7,106 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
-
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
-
-
- Enable Public Key Authentication
-
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
-
-
-
- Configure SSSD to run as user sssd
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sssd_run_as_sssd_user_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Record Unsuccessful Permission Changes to Files - setxattr
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Ensure LDAP client is not installed
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Record Events that Modify User/Group Information via openat syscall - /etc/group
+
+ Authorize USB hubs in USBGuard daemon
- ocil:ssg-audit_rules_etc_group_openat_action:testaction:1
+ ocil:ssg-usbguard_allow_hub_action:testaction:1
-
- Ensure SELinux Not Disabled in /etc/default/grub
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-grub2_enable_selinux_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Disable ATM Support
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-kernel_module_atm_disabled_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Record Unsuccessful Permission Changes to Files - setxattr
+
+ Disable Kerberos Authentication
- ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Record Any Attempts to Run setfiles
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-audit_rules_execution_setfiles_action:testaction:1
-
- Configure SSH to use System Crypto Policy
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-configure_ssh_crypto_policy_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Disable Kernel Image Loading
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1
-
- Verify that Interactive Boot is Disabled
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-grub2_disable_interactive_boot_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
@@ -127,520 +115,514 @@
ocil:ssg-file_permissions_sshd_config_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
-
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
-
-
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Record Unsuccessful Permission Changes to Files - fsetxattr
+
+ Resolve information before writing to audit logs
- ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -43,38 +43,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -82,41 +79,54 @@
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -124,30 +134,25 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -155,24 +160,19 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -156,7 +156,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -199,38 +199,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -238,87 +235,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -326,29 +321,34 @@
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -158,7 +158,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -201,38 +201,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -240,87 +237,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -328,29 +323,34 @@
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,1648 +7,1654 @@
2022-10-01T00:00:00
-
- Disable DHCP Client in ifcfg
+
+ Ensure Remote Administrative Access Is Encrypted
- ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1
+ ocil:ssg-httpd_configure_remote_session_encryption_action:testaction:1
-
- Disable the abrt_handle_event SELinux Boolean
+
+ Disable the squid_connect_any SELinux Boolean
- ocil:ssg-sebool_abrt_handle_event_action:testaction:1
+ ocil:ssg-sebool_squid_connect_any_action:testaction:1
-
- Configure server restrictions for ntpd
+
+ Disable the cobbler_use_cifs SELinux Boolean
- ocil:ssg-ntpd_configure_restrictions_action:testaction:1
+ ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1
-
- Disable x86 vsyscall emulation
+
+ Disable Postfix Network Listening
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-postfix_network_listening_disabled_action:testaction:1
-
- Disable the mpd_use_cifs SELinux Boolean
+
+ Enable the selinuxuser_execmod SELinux Boolean
- ocil:ssg-sebool_mpd_use_cifs_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1
-
- Enable Public Key Authentication
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Disable Software RAID Monitor (mdmonitor)
+
+ Ensure PAM password complexity module is enabled in system-auth
- ocil:ssg-service_mdmonitor_disabled_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable the mount_anyfile SELinux Boolean
+
+ Ensure All Groups on the System Have Unique Group Names
- ocil:ssg-sebool_mount_anyfile_action:testaction:1
+ ocil:ssg-group_unique_name_action:testaction:1
-
- Enable IRQ Balance (irqbalance)
+
+ Disable the sanlock_use_samba SELinux Boolean
- ocil:ssg-service_irqbalance_enabled_action:testaction:1
+ ocil:ssg-sebool_sanlock_use_samba_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Disable the xdm_sysadm_login SELinux Boolean
+
+ Ensure All World-Writable Directories Are Owned by a System Account
- ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1
-
- Disable Samba
+
+ Disable the httpd_read_user_content SELinux Boolean
- ocil:ssg-service_smb_disabled_action:testaction:1
+ ocil:ssg-sebool_httpd_read_user_content_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1
-
- Enable the secadm_exec_content SELinux Boolean
+
+ Require Credential Prompting for Remote Access in GNOME3
- ocil:ssg-sebool_secadm_exec_content_action:testaction:1
+ ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Record Unsuccessful Permission Changes to Files - setxattr
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
-
- Disable the ftpd_full_access SELinux Boolean
+
+ Uninstall xinetd Package
- ocil:ssg-sebool_ftpd_full_access_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Disable the ftpd_use_nfs SELinux Boolean
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Verify Owner on cron.daily
+
+ Ensure LDAP client is not installed
- ocil:ssg-file_owner_cron_daily_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Disable Quagga Service
+
+ Disable the daemons_use_tcp_wrapper SELinux Boolean
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -43,38 +43,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -82,87 +79,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -170,29 +165,34 @@
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -204,7 +204,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -247,64 +247,71 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -312,46 +319,43 @@
-
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -359,40 +363,36 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -206,7 +206,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -249,64 +249,71 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -314,46 +321,43 @@
-
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -361,40 +365,36 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,256 +7,244 @@
2022-10-01T00:00:00
-
- Disable DHCP Client in ifcfg
-
- ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1
-
-
-
- Disable the abrt_handle_event SELinux Boolean
-
- ocil:ssg-sebool_abrt_handle_event_action:testaction:1
-
-
-
- Disable x86 vsyscall emulation
+
+ Ensure Remote Administrative Access Is Encrypted
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-httpd_configure_remote_session_encryption_action:testaction:1
-
- Disable the mpd_use_cifs SELinux Boolean
+
+ Disable the squid_connect_any SELinux Boolean
- ocil:ssg-sebool_mpd_use_cifs_action:testaction:1
+ ocil:ssg-sebool_squid_connect_any_action:testaction:1
-
- Enable Public Key Authentication
+
+ Disable the cobbler_use_cifs SELinux Boolean
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1
-
- Configure SSSD to run as user sssd
+
+ Disable Postfix Network Listening
- ocil:ssg-sssd_run_as_sssd_user_action:testaction:1
+ ocil:ssg-postfix_network_listening_disabled_action:testaction:1
-
- Disable Software RAID Monitor (mdmonitor)
+
+ Enable the selinuxuser_execmod SELinux Boolean
- ocil:ssg-service_mdmonitor_disabled_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Enable the mount_anyfile SELinux Boolean
+
+ Ensure PAM password complexity module is enabled in system-auth
- ocil:ssg-sebool_mount_anyfile_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Disable the xdm_sysadm_login SELinux Boolean
+
+ Ensure All Groups on the System Have Unique Group Names
- ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1
+ ocil:ssg-group_unique_name_action:testaction:1
-
- Disable Samba
+
+ Disable the sanlock_use_samba SELinux Boolean
- ocil:ssg-service_smb_disabled_action:testaction:1
+ ocil:ssg-sebool_sanlock_use_samba_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Enable the secadm_exec_content SELinux Boolean
+
+ Ensure All World-Writable Directories Are Owned by a System Account
- ocil:ssg-sebool_secadm_exec_content_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Disable the httpd_read_user_content SELinux Boolean
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-sebool_httpd_read_user_content_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1
-
- Disable the ftpd_full_access SELinux Boolean
+
+ Disable vsyscall mapping
- ocil:ssg-sebool_ftpd_full_access_action:testaction:1
+ ocil:ssg-kernel_config_legacy_vsyscall_none_action:testaction:1
-
- Configure GnuTLS library to use DoD-approved TLS Encryption
+
+ Require Credential Prompting for Remote Access in GNOME3
- ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1
+ ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Disable the ftpd_use_nfs SELinux Boolean
+
+ Record Unsuccessful Permission Changes to Files - setxattr
- ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
-
- Verify Owner on cron.daily
+
+ Uninstall xinetd Package
- ocil:ssg-file_owner_cron_daily_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Disable Quagga Service
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-service_zebra_disabled_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Set hostname as computer node name in audit logs
/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -43,64 +43,71 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -108,46 +115,43 @@
-
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -155,40 +159,36 @@
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -148,7 +148,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -191,14 +191,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -211,25 +227,19 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -237,61 +247,55 @@
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -299,35 +303,36 @@
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -150,7 +150,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -193,14 +193,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -213,25 +229,19 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -239,61 +249,55 @@
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -301,35 +305,36 @@
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,586 +7,580 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
-
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
-
-
- Disable the mpd_use_cifs SELinux Boolean
+
+ Disable the squid_connect_any SELinux Boolean
- ocil:ssg-sebool_mpd_use_cifs_action:testaction:1
+ ocil:ssg-sebool_squid_connect_any_action:testaction:1
-
- Enable Public Key Authentication
+
+ Disable the cobbler_use_cifs SELinux Boolean
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-sebool_cobbler_use_cifs_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Disable Postfix Network Listening
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-postfix_network_listening_disabled_action:testaction:1
-
- Enable the mount_anyfile SELinux Boolean
+
+ Perform general configuration of Audit for OSPP (ppc64le)
- ocil:ssg-sebool_mount_anyfile_action:testaction:1
+ ocil:ssg-audit_ospp_general_ppc64le_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Enable the selinuxuser_execmod SELinux Boolean
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1
-
- Disable the xdm_sysadm_login SELinux Boolean
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Disable Samba
+
+ Ensure PAM password complexity module is enabled in system-auth
- ocil:ssg-service_smb_disabled_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable the secadm_exec_content SELinux Boolean
+
+ Disable the sanlock_use_samba SELinux Boolean
- ocil:ssg-sebool_secadm_exec_content_action:testaction:1
+ ocil:ssg-sebool_sanlock_use_samba_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Disable the httpd_read_user_content SELinux Boolean
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-sebool_httpd_read_user_content_action:testaction:1
-
- Disable the ftpd_full_access SELinux Boolean
+
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
- ocil:ssg-sebool_ftpd_full_access_action:testaction:1
+ ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1
-
- Configure GnuTLS library to use DoD-approved TLS Encryption
+
+ Disable vsyscall mapping
- ocil:ssg-configure_gnutls_tls_crypto_policy_action:testaction:1
+ ocil:ssg-kernel_config_legacy_vsyscall_none_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Require Credential Prompting for Remote Access in GNOME3
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1
-
- Disable the ftpd_use_nfs SELinux Boolean
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-sebool_ftpd_use_nfs_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Verify Owner on cron.daily
+
+ Record Unsuccessful Permission Changes to Files - setxattr
- ocil:ssg-file_owner_cron_daily_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Uninstall xinetd Package
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Disable the mcelog_client SELinux Boolean
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-sebool_mcelog_client_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Disable the haproxy_connect_any SELinux Boolean
+
+ Disable storing core dumps
- ocil:ssg-sebool_haproxy_connect_any_action:testaction:1
+ ocil:ssg-sysctl_kernel_core_pattern_empty_string_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Ensure LDAP client is not installed
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -43,14 +43,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -63,25 +79,19 @@
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
@@ -89,61 +99,55 @@
-
-
-
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -151,35 +155,36 @@
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -171,53 +171,55 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
@@ -225,50 +227,53 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -276,29 +281,24 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -171,53 +171,55 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
@@ -225,50 +227,53 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -276,29 +281,24 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,748 +7,742 @@
2022-10-01T00:00:00
-
- Disable the abrt_handle_event SELinux Boolean
-
- ocil:ssg-sebool_abrt_handle_event_action:testaction:1
-
-
-
- Disable x86 vsyscall emulation
+
+ Enable the selinuxuser_execmod SELinux Boolean
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-sebool_selinuxuser_execmod_action:testaction:1
-
- Enable Public Key Authentication
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure PAM password complexity module is enabled in system-auth
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwquality_system_auth_action:testaction:1
-
- Enable the mount_anyfile SELinux Boolean
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-sebool_mount_anyfile_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Configure Notification of Post-AIDE Scan Details
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-aide_scan_notification_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Disable the xdm_sysadm_login SELinux Boolean
+
+ Ensure All World-Writable Directories Are Owned by a System Account
- ocil:ssg-sebool_xdm_sysadm_login_action:testaction:1
+ ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Enable the secadm_exec_content SELinux Boolean
+
+ Uninstall xinetd Package
- ocil:ssg-sebool_secadm_exec_content_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Set Lockout Time for Failed Password Attempts
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Ensure LDAP client is not installed
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Verify Owner on cron.daily
+
+ Disable the daemons_use_tcp_wrapper SELinux Boolean
- ocil:ssg-file_owner_cron_daily_action:testaction:1
+ ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1
-
- Disable Quagga Service
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-service_zebra_disabled_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Verify ownership of Message of the Day Banner
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-file_owner_etc_motd_action:testaction:1
-
- Ensure SELinux Not Disabled in /etc/default/grub
+
+ Disable Kerberos Authentication
- ocil:ssg-grub2_enable_selinux_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Record Any Attempts to Run setfiles
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-audit_rules_execution_setfiles_action:testaction:1
-
- Set number of Password Hashing Rounds - password-auth
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Configure SSH to use System Crypto Policy
+
+ Verify Permissions on SSH Server config file
- ocil:ssg-configure_ssh_crypto_policy_action:testaction:1
+ ocil:ssg-file_permissions_sshd_config_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -43,53 +43,55 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
-
+
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
@@ -97,50 +99,53 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -148,29 +153,24 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -1863,6 +1863,15 @@
/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -160,7 +160,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -213,38 +213,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -252,87 +249,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -340,29 +335,34 @@
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -162,7 +162,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -215,38 +215,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -254,87 +251,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -342,29 +337,34 @@
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,38 +51,35 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
+
@@ -90,87 +87,85 @@
-
-
+
+
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
@@ -178,29 +173,34 @@
-
+
-
+
-
+
-
RPMS.2017/scap-security-guide-ubuntu-0.1.64-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.64-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-ubuntu-0.1.64-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.64-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-ubuntu
--- old-rpm-tags
+++ new-rpm-tags
@@ -201,4 +201,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html f6924987926b41365d140efcbf4ff99659cf8563ff84de9324e3f779ded9f39c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 37d792a8528112a22125f72bafd7556242dc038b353cc6e7d6090848ff66ef24 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 48b4444f9266ab14105cb515d49e0999dbc900ba782bd3e8e1b744274facf5a7 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 4d3671ef8f56303bf4dc05294a926e3c9afce5c79ef34213cc6ea4ad30ecc5d8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html d76a037726819837f10d45d298380e1cffce37b108da6f55a021c40305e81cf8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 172bae051279a348cf7f857e7e2072a123343f407ca2356fd6b550fa8e279ad4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 46763db7cc4f23347d0be3614062395aa86e9f1bf8d62ac4cfde357876b04ff9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html e384965a7bb889802b2e28afe18d7003ab8aad7ad4f37552876bef97ec2f2231 2
@@ -206,6 +206,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 84a3bfde3257c27600986bfb70a1464f7dd9c3f332dd74b049aa39292fb18f86 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 5bf367b41936f1f6bb815d0aa92388ac1ae4aaf12fcf7f01bda5b5c648686f63 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 620576c70475e479a197512d497cea22f960ee65af4816fd1988d171d28389fd 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 0343ec043ac9b65985793fc23cda9ba8fb6ee4180f3b2e3a6c0a057fe357565a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html b90e9503ba986342b44751d4db1cd2125f57c2181272c589a1f40c106f6f1ac1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html fba15ad7b6bf82dd0fbecd0a5da6f6123f055ef74b5a78d2ad873724a92bd4bb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 904c197883977babf2b365666d57c463ecb2fcf98e41a4bc0c975ba7e6f9c830 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 7568f099dc8950bcf9fcf6b3060127b7796f3db361c221f179b3a4cb8e3d872c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 6b3919e77e7681ca99197dbdabf7272c3596d437d0ac2c42bcf62943c3e46756 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html ea2a8266bc8d1423f1309fbe2c0d2e47698e38964bd848eeed25f37203750b96 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 2b64eebe2cd0be6f0ad36236a6fbce6097f29b67009b8e437144d2f4ffc97de2 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html 9d1659e30b0409b4365bd2a61cd02890a17c0b4c83a678d210c7ac7c49e2688e 2
@@ -213,5 +213,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 07bcbef7303b067398c579a71acb95efcd5ab41e2545f55dad31e1fe8f9106bd 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html fa18f7e793b2c8f657a38d1d0817bbbe9d50ffe5ba6e9deefa9e9ec83777453b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html a8b0f72638d5b659d8cac84797511db9f0cc11a8c83540c3b24656df8c5db01d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html d0a8aa05c67fa6a09b8f6a96ef7fe89f6ed52af1345f3d39e9175a19aaa7b9c8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 0557c1ff7e1db9ee768bb25f1b9df0c0eeff33b6d55712ec91bfd4533be96241 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html e76726028d9b3a5a7d9a7f598f6467bbf7ebaa1528cf4ed3c2c3e05c62f9a39b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 46d23ff4a10bc5e2ec8147d48acee52f46d31147d644a604b70fd845131e3641 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html e8b2f2e5791a01b6b3678cc711197ce6f9c35025264ec1bc86dbd4d4d0ced3d9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 476f0b4023ea9f4a9b65605d983cf3475240f07a923cf89a6d5bf08541fb5bc4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 2e775d1b4a093adcd8950d05beb260ae9c983145e6d0719b4c4f6b5e18265b59 2
@@ -219,6 +219,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 5d9b331fe380431bc8e1fcd457af93a452e62c4b36d320ee48db450e9b8be748 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 9a4180baedef33fb6e777a1a4f2af3ebf4069589e72ee9c8696a3fe46d2fb958 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html 0ff2c27016115c96ed669420c47ca7c4d7994e948995aa72a6c82315b0809e5b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html be52080f0caf718bb1560fe79ab6afbb93b4432d9c6f23dfe5f6cb520edfbed0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 409a6a7fae02fccc214086e1e9305aa0740f1d1fffc201699b20da6b7f382625 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html d0ade26129b4abf1883317ba5a3f3dd03a8932359779e1815ce9a262a56da2b1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html f59d68fcc7e3409aba759f9ca995a7fe77594fde5666cfe93ab63d2b55be3ed8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 692f64a11204a26c3dfb9db51a1ce66f273d48dd5ae47f199a30849315942a3d 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html 4ac446d0c9b283b116f5d82aa8c2a347d862a6006b087cc28c9c26790c8f96d1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html da6d2d8f1c030defb7a19af41a003531122f49d329e4175d2692e52f884a22a6 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 88a8e8135d5e9e3ae038e32dc44f237e77fd25b28957e1ab26475cc735505b82 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html a5103f33876ecadc071b7c52c96b56733be6de8f2a8b983aa4e6ae04e0ba1da2 2
@@ -226 +226 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html e494e55e5e0d7a0fe3742fbe52f5a2245eba591a053c058e34a3ba712bd99432 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html de657e11911a2ef0c042f051c22c0babfe5f1149c63d421c1711f46a27d7ad65 2
@@ -283,3 +283,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 10a66778ff80250dd528bf17efe7759ae7c3de9935ce0bf69c7f8b9343c90190 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 361a5addfbffdd0cf5f52e7e68cf50641843cf216a93d7909d6be762d74a2729 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml a866a0a6376a8ef134413cbe6b04060bdfb11b15555bd046f37cc73793cf603a 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml f0c2c057bd5f495015a880f2bf123f2f72c356a8fe74e8d4b2014a8a8d00f54a 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml b3de418ff7cc016cf9fddd33dc9474da71820c3ddcb922c264572c487ecc906b 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml e92c92176c93aecf3840e868296bdc91c6114baf58e16401c414f66c4852dc7d 0
@@ -287 +287 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 7871c2d1a81d25ed1a1434ce8cc037de8c866c611466b6b4ae7435586a44c3b5 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 8dae8112157a8c1332719100d4ffb16b66b257c0108fc0ce5fe16fd058589c4f 0
@@ -290,3 +290,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml ccb6b1946d62c7e2daceebe8e02a5fc8c12d6cb44d9ce0d3424d57d932dce9b7 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 4d915b08e70a3860352adb25b522e6dca51020f4e1cd77668a6f7de9bafe0229 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml f1cb7858ef5d98e7993d7f34d12e512c6216f7c26bce42aec9d8ef4b874250a4 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml af58bb6447019ca92e947861ca4701c2a64623857b1d813d561b4e1710a96dd4 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml e009ba6a71d48f2bfcec5d30d92383849d92ae919ccae31b0001ab5f3cc8fa56 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 129b70e9e1d60cc3c2c780aad4d58eff970096e97649bd0687dd07ef27df1340 0
@@ -294 +294 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml b8f11803a7d173d90ed2b144807fb2f35e6509e661895699505dba91c87ccd24 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml bb51ef980af5da7d6a9b34f8833820116fd2b9ceb08c6c9e8813a82c70cbb647 0
@@ -297,3 +297,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml fc7aec24520ae578c62b41fec3d5c1a16bca9f62a0dd6a03a3c1b7f9a948cded 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 9dd3bad27e8924f358ab41a0f1db74d1a0d3c3f43648f407e1aeafc66fe830d9 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml e7f263d8e1b50ff3cef95deff8941e0692a0e095ff7cfde7faad66ffe521de3f 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 736e857e1aa230eb3f472162efa49f0b73bad71b48cba83e747fdd315888524e 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 79937726d97fb3fd36c15019f3a46163989c9a0b89aa61c6d8428cbd0064405e 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 1cdf7011c19a1dd656373fd5e05789ce66af94a4c277b88f2c24809e88fede4d 0
@@ -301 +301 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml f69460437a258e30271633519d84bb88ae1cc1800b7b208743e0013fa306ddbe 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml f09c1f29732d87443ad88c656b564249f2ca8e009de70e773d7975ce06d31a1e 0
@@ -304,3 +304,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml cf2d005382a79ea7b23315bf59a640dce26b99e07ea38f1570525eb1285cde1f 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 39a096dcc231a873c83294aa7aa5fc0ba5f7dc8dcb15eb0e465008610461434a 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml a3663e5507e792c58b731da6a7919392aac380f08d698acfe49d57c6b8da0f14 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 085cc684ff6c0710a1d5b7fe99b3932e9b569f014612a694820adcd97d162fb4 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 3dba76c80c5826cb836a45a18c890635d6cc537da1b4b8f0a8e6d898ed201bd4 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 0b66a298317cc8665f50a712a1ce192ab2a54f06f37b96c4f86f2ce52973e194 0
@@ -308 +308 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml b5e1d2696098e4afb2cfa5fea7fd6937639ba6e2376d5ac5b36723c769f1ddeb 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 49385e9cfe8b97826417d555aa5273034bf303c318da918134c95f58891d0d75 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2022-10-01 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 40 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | | |
|
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -507,7 +507,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 22 groups and 46 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,18 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -407,7 +407,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 9 groups and 19 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,7 +243,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow | | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 21 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,18 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -407,7 +407,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 45 rules | | Group
@@ -230,18 +230,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -283,7 +283,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -484,7 +484,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 40 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -507,7 +507,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 22 groups and 46 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,18 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -407,7 +407,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 9 groups and 19 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,7 +243,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow | | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,18 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -407,7 +407,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 71 rules | | Group
@@ -1280,7 +1280,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Network Configuration and Firewalls
Group contains 1 group and 2 rules | [ref]
@@ -1400,7 +1400,21 @@
kernel module from being loaded, add the following line to the file /etc/modprobe.d/rds.conf:
install rds /bin/true | | Rationale: | Disabling RDS protects
the system against exploitation of any flaws in its implementation. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled | | Identifiers and References | References:
- 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3 | | |
| Rule
Disable TIPC Support
[ref] | The Transparent Inter-Process Communication (TIPC) protocol
@@ -1445,7 +1445,21 @@
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. | | Rationale: | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled | | Identifiers and References | References:
- 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 | | |
| | Group
File Permissions and Masks
Group contains 7 groups and 41 rules | | To properly set the group owner of /etc/group-, run the command: $ sudo chgrp root /etc/group- | | Rationale: | The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group | | Identifiers and References | References:
- CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns Backup gshadow File
[ref] | To properly set the group owner of /etc/gshadow-, run the command: $ sudo chgrp shadow /etc/gshadow- | | Rationale: | The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow | | Identifiers and References | References:
- CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns Backup passwd File
[ref] | To properly set the group owner of /etc/passwd-, run the command: $ sudo chgrp root /etc/passwd- | | Rationale: | The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd | | Identifiers and References | References:
- CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 45 rules | | Group
@@ -228,18 +228,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -281,7 +281,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -482,7 +482,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 81 groups and 189 rules | | Group
@@ -110,18 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,7 +267,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -470,7 +470,21 @@
ensure => 'purged',
}
}
- Remediation Ansible snippet ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
+
+# CAUTION: This remediation script will remove gdm3
+# from the system, and may remove any packages
+# that depend on gdm3. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -499,20 +513,6 @@
- medium_severity
- no_reboot_needed
- package_gdm_removed
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm3
-# from the system, and may remove any packages
-# that depend on gdm3. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
|
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -530,18 +530,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 78 groups and 188 rules | | Group
@@ -110,18 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,7 +267,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -557,18 +557,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
[ref] | The sudo use_pty tag, when specified, will only execute sudo
@@ -597,7 +597,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_use_pty | | Identifiers and References | References:
- BP28(R58), 1.3.2 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 92 groups and 273 rules | | Group
@@ -110,18 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,7 +267,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -515,7 +515,21 @@
ensure => 'purged',
}
}
- Remediation Ansible snippet ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
+
+# CAUTION: This remediation script will remove gdm3
+# from the system, and may remove any packages
+# that depend on gdm3. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -544,20 +558,6 @@
- medium_severity
- no_reboot_needed
- package_gdm_removed
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm3
-# from the system, and may remove any packages
-# that depend on gdm3. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm3"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
|
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -575,18 +575,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 92 groups and 275 rules | | Group
@@ -110,18 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -267,7 +267,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -602,18 +602,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
[ref] | The sudo use_pty tag, when specified, will only execute sudo
@@ -642,7 +642,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_use_pty | | Identifiers and References | References:
- BP28(R58), 1.3.2 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Apport Service
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 22 groups and 45 rules | | Group
@@ -257,18 +257,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, UBTU-20-010182, 4.1.1.1 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -311,7 +311,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190, 4.1.1.2 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -512,7 +512,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7, 4.3 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.1.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- APT service configuration
- Base Services
- Deprecated services
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 74 groups and 190 rules | | Group
@@ -112,18 +112,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -263,7 +263,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -691,7 +691,37 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_authentication | | Identifiers and References | References:
- 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, UBTU-20-010014 | | |
| | Group
Updating Software
Group contains 1 rule | [ref]
@@ -1420,7 +1420,42 @@
possible combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit | | Identifiers and References | References:
- BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, SRG-OS-000071-VMM-000380, UBTU-20-010052, 5.3.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 81 groups and 189 rules | | Group
@@ -110,18 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -266,7 +266,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -464,7 +464,21 @@
ensure => 'purged',
}
}
- Remediation Ansible snippet ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
+
+# CAUTION: This remediation script will remove gdm
+# from the system, and may remove any packages
+# that depend on gdm. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -493,20 +507,6 @@
- medium_severity
- no_reboot_needed
- package_gdm_removed
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm
-# from the system, and may remove any packages
-# that depend on gdm. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
|
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -524,18 +524,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 78 groups and 188 rules | | Group
@@ -110,18 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -266,7 +266,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -551,18 +551,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
[ref] | The sudo use_pty tag, when specified, will only execute sudo
@@ -591,7 +591,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_use_pty | | Identifiers and References | References:
- BP28(R58), 1.3.2 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 92 groups and 273 rules | | Group
@@ -110,18 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -266,7 +266,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -509,7 +509,21 @@
ensure => 'purged',
}
}
- Remediation Ansible snippet ⇲
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
+
+# CAUTION: This remediation script will remove gdm
+# from the system, and may remove any packages
+# that depend on gdm. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
- name: Gather the package facts
package_facts:
manager: auto
tags:
@@ -538,20 +552,6 @@
- medium_severity
- no_reboot_needed
- package_gdm_removed
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | disable |
|---|
# Remediation is applicable only in certain platforms
-if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
-
-# CAUTION: This remediation script will remove gdm
-# from the system, and may remove any packages
-# that depend on gdm. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-DEBIAN_FRONTEND=noninteractive apt-get remove -y "gdm"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
|
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -569,18 +569,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 92 groups and 275 rules | | Group
@@ -110,18 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,18 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -266,7 +266,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.4.2 | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -596,18 +596,26 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 1.3.1 | | |
| Rule
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
[ref] | The sudo use_pty tag, when specified, will only execute sudo
@@ -636,7 +636,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_use_pty | | Identifiers and References | References:
- BP28(R58), 1.3.2 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.64 - draft
- (as of 2022-10-02)
+ (as of 2038-11-03)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Apport Service
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 22 groups and 45 rules | | Group
@@ -257,18 +257,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, 4.1.1.1 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -310,7 +310,10 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190, 4.1.1.2 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -511,7 +511,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7, 4.3 | | |
| Rule
Ensure rsyslog is Installed
[ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.1.1 | | Remediation OSBuild Blueprint snippet ⇲
+[[packages]]
+name = "rsyslog"
+version = "*"
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | enable |
|---|
include install_rsyslog
class install_rsyslog {
package { 'rsyslog':
ensure => 'installed',
}
}
-
-[[packages]]
-name = "rsyslog"
-version = "*"
-
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | enable |
|---|
- name: Ensure rsyslog is installed
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | enable |
|---|
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "rsyslog"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
| Complexity: | low |
|---|
| Disruption: | low |
|---|
| Strategy: | enable |
|---|
- name: Ensure rsyslog is installed
package:
name: rsyslog
state: present
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -96,7 +96,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -139,64 +139,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -204,19 +204,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2870,20 +2870,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2905,6 +2891,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -2922,20 +2922,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2957,6 +2943,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -98,7 +98,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -141,64 +141,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -206,19 +206,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2872,20 +2872,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2907,6 +2893,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -2924,20 +2924,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2959,6 +2945,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,22 +7,22 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable Public Key Authentication
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
@@ -31,142 +31,118 @@
ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Enforce Spectre v2 mitigation
-
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
-
-
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
-
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
-
-
-
- Set hostname as computer node name in audit logs
-
- ocil:ssg-auditd_name_format_action:testaction:1
-
-
-
- Enable SSH Warning Banner
-
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
-
-
-
- Randomize the address of the kernel image (KASLR)
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Disable Kerberos Authentication
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Enable auditd Service
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Resolve information before writing to audit logs
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
-
- Verify Permissions on /var/log Directory
+
+ Enable Yama support
- ocil:ssg-file_permissions_var_log_action:testaction:1
+ ocil:ssg-kernel_config_security_yama_action:testaction:1
-
- Kernel panic on oops
+
+ Verify Permissions on shadow File
- ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1
+ ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
- Disallow Configuration to Bypass Password Requirements for Privilege Escalation
+
+ Do not allow ACPI methods to be inserted/replaced at run time
- ocil:ssg-disallow_bypass_password_sudo_action:testaction:1
+ ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1
-
- Verify that All World-Writable Directories Have Sticky Bits Set
+
+ Ensure auditd Collects File Deletion Events by User - unlink
- ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Verify that Shared Library Files Have Restrictive Permissions
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-file_permissions_library_dirs_action:testaction:1
-
- Verify that System Executables Have Restrictive Permissions
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-file_permissions_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Disable SSH Support for User Known Hosts
+
+ Set Password Minimum Length in login.defs
- ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1
+ ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1
-
- Enable SSH Print Last Log
+
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 16.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 16.04. It is a rendering of
@@ -43,64 +43,64 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -108,19 +108,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2774,20 +2774,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2809,6 +2795,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -2826,20 +2826,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -2861,6 +2847,20 @@
false
fi
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -147,24 +147,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -172,31 +173,29 @@
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -204,19 +203,20 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -224,19 +224,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3224,20 +3224,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3259,6 +3245,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3276,20 +3276,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -147,24 +147,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -172,31 +173,29 @@
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -204,19 +203,20 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -224,19 +224,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3224,20 +3224,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3259,6 +3245,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3276,20 +3276,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,22 +7,22 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Enable Public Key Authentication
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
@@ -31,328 +31,328 @@
ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Disable Kerberos Authentication
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Resolve information before writing to audit logs
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Enable Yama support
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-kernel_config_security_yama_action:testaction:1
-
- Enable auditd Service
+
+ Verify Permissions on shadow File
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-file_permissions_etc_shadow_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Do not allow ACPI methods to be inserted/replaced at run time
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Ensure auditd Collects File Deletion Events by User - unlink
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1
-
- Verify Permissions on /var/log Directory
+
+ Verify that Shared Library Files Have Restrictive Permissions
- ocil:ssg-file_permissions_var_log_action:testaction:1
+ ocil:ssg-file_permissions_library_dirs_action:testaction:1
-
- Kernel panic on oops
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
- ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1
+ ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1
-
- Disallow Configuration to Bypass Password Requirements for Privilege Escalation
+
+ Set Password Minimum Length in login.defs
- ocil:ssg-disallow_bypass_password_sudo_action:testaction:1
+ ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1
-
- Verify that All World-Writable Directories Have Sticky Bits Set
+
+ Verify User Who Owns group File
- ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1
+ ocil:ssg-file_owner_etc_group_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Enable different security models
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-kernel_config_security_action:testaction:1
-
- Verify that System Executables Have Restrictive Permissions
+
+ Ensure No World-Writable Files Exist
- ocil:ssg-file_permissions_binary_dirs_action:testaction:1
+ ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 18.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 18.04. It is a rendering of
@@ -43,24 +43,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -68,31 +69,29 @@
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
@@ -100,19 +99,20 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
@@ -120,19 +120,19 @@
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3120,20 +3120,6 @@
BP28(R58)
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -3155,6 +3141,20 @@
false
fi
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
@@ -3172,20 +3172,6 @@
BP28(R58)
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
-
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -147,24 +147,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -172,75 +172,75 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3074,6 +3074,11 @@
UBTU-20-010450
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -3082,10 +3087,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
- name: Ensure aide is installed
package:
@@ -3104,15 +3113,6 @@
- no_reboot_needed
- package_aide_installed
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
@@ -3209,6 +3209,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -147,24 +147,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -172,75 +172,75 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -3074,6 +3074,11 @@
UBTU-20-010450
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -3082,10 +3087,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
- name: Ensure aide is installed
package:
@@ -3104,15 +3113,6 @@
- no_reboot_needed
- package_aide_installed
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
@@ -3209,6 +3209,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,430 +7,425 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
-
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
-
-
- Enable Public Key Authentication
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Offload audit Logs to External Media
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-auditd_offload_logs_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Uninstall xinetd Package
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Verify Owner on cron.daily
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-file_owner_cron_daily_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Ensure LDAP client is not installed
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Limit Password Reuse
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Verify ownership of Message of the Day Banner
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-file_owner_etc_motd_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Disable Kerberos Authentication
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - kmod
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Verify Permissions on SSH Server config file
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-file_permissions_sshd_config_action:testaction:1
-
- Remove the X Windows Package Group
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Verify Group Who Owns Crontab
+
+ Resolve information before writing to audit logs
- ocil:ssg-file_groupowner_crontab_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Enable auditd Service
+
+ Record Events that Modify User/Group Information - /etc/security/opasswd
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 20.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 20.04. It is a rendering of
@@ -43,24 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -68,75 +68,75 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2970,6 +2970,11 @@
UBTU-20-010450
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2978,10 +2983,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
- name: Ensure aide is installed
package:
@@ -3000,15 +3009,6 @@
- no_reboot_needed
- package_aide_installed
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
@@ -3105,6 +3105,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
+ # Remediation is applicable only in certain platforms
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 2022-10-01 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -147,24 +147,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -172,75 +172,75 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2677,6 +2677,11 @@
SRG-OS-000445-GPOS-00199
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2685,10 +2690,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
- name: Ensure aide is installed
package:
@@ -2706,15 +2715,6 @@
- no_reboot_needed
- package_aide_installed
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
@@ -2811,6 +2811,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 2022-10-01 00:00:00.000000000 +0000
@@ -104,7 +104,7 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -147,24 +147,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -172,75 +172,75 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2677,6 +2677,11 @@
SRG-OS-000445-GPOS-00199
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2685,10 +2690,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
- name: Ensure aide is installed
package:
@@ -2706,15 +2715,6 @@
- no_reboot_needed
- package_aide_installed
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
@@ -2811,6 +2811,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 2022-10-01 00:00:00.000000000 +0000
@@ -7,430 +7,425 @@
2022-10-01T00:00:00
-
- Disable x86 vsyscall emulation
-
- ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1
-
-
-
- Enable Public Key Authentication
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
- ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1
-
- Verify Permissions on gshadow File
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
- ocil:ssg-file_permissions_etc_gshadow_action:testaction:1
+ ocil:ssg-accounts_logon_fail_delay_action:testaction:1
-
- Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+ Configure auditd Disk Error Action on Disk Error
- ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
+ ocil:ssg-auditd_data_disk_error_action_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Offload audit Logs to External Media
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-auditd_offload_logs_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+
+ Record Events that Modify User/Group Information - /etc/shadow
- ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1
-
- Verify Group Who Owns cron.monthly
+
+ Uninstall xinetd Package
- ocil:ssg-file_groupowner_cron_monthly_action:testaction:1
+ ocil:ssg-package_xinetd_removed_action:testaction:1
-
- Verify Owner on cron.daily
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
- ocil:ssg-file_owner_cron_daily_action:testaction:1
+ ocil:ssg-auditd_overflow_action_action:testaction:1
-
- Set hostname as computer node name in audit logs
+
+ Ensure LDAP client is not installed
- ocil:ssg-auditd_name_format_action:testaction:1
+ ocil:ssg-package_openldap-clients_removed_action:testaction:1
-
- Enable SSH Warning Banner
+
+ Limit Password Reuse
- ocil:ssg-sshd_enable_warning_banner_action:testaction:1
+ ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - open_by_handle_at
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
- ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1
+ ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - chown
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
- ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - fchownat
+
+ Verify ownership of Message of the Day Banner
- ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1
+ ocil:ssg-file_owner_etc_motd_action:testaction:1
-
- Verify Permissions on SSH Server config file
+
+ Disable Kerberos Authentication
- ocil:ssg-file_permissions_sshd_config_action:testaction:1
+ ocil:ssg-sshd_disable_kerb_auth_action:testaction:1
-
- Ensure auditd Collects Information on the Use of Privileged Commands - kmod
+
+ Force kernel panic on uncorrected MCEs
- ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
+ ocil:ssg-grub2_mce_argument_action:testaction:1
-
- Set Default iptables Policy for Forwarded Packets
+
+ Record attempts to alter time through settimeofday
- ocil:ssg-set_iptables_default_rule_forward_action:testaction:1
+ ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
-
- Limit the Number of Concurrent Login Sessions Allowed Per User
+
+ Verify Permissions on SSH Server config file
- ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1
+ ocil:ssg-file_permissions_sshd_config_action:testaction:1
-
- Remove the X Windows Package Group
+
+ Enable Randomized Layout of Virtual Address Space
- ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1
+ ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1
-
- Verify Group Who Owns Crontab
+
+ Resolve information before writing to audit logs
- ocil:ssg-file_groupowner_crontab_action:testaction:1
+ ocil:ssg-auditd_log_format_action:testaction:1
-
- Enable auditd Service
+
+ Record Events that Modify User/Group Information - /etc/security/opasswd
- ocil:ssg-service_auditd_enabled_action:testaction:1
+ ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1
-
- Restrict Exposed Kernel Pointer Addresses Access
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
- ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1
+ ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 2022-10-01 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Ubuntu 22.04
This guide presents a catalog of security-relevant
configuration settings for Ubuntu 22.04. It is a rendering of
@@ -43,24 +43,24 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -68,75 +68,75 @@
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -2573,6 +2573,11 @@
SRG-OS-000445-GPOS-00199
1.4.1
The AIDE package must be installed if it is to be available for integrity checking.
+
+[[packages]]
+name = "aide"
+version = "*"
+
include install_aide
class install_aide {
@@ -2581,10 +2586,14 @@
}
}
-
-[[packages]]
-name = "aide"
-version = "*"
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
- name: Ensure aide is installed
package:
@@ -2602,15 +2611,6 @@
- no_reboot_needed
- package_aide_installed
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y "aide"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
@@ -2707,6 +2707,18 @@
1.4.1
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
+ # Remediation is applicable only in certain platforms
overalldiffered=4 (number of pkgs that are not bit-by-bit identical: 0 is good)
overall=1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|