Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -499,20 +499,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 61 groups and 180 rules | | Group
@@ -124,11 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -291,7 +291,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r880848_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -428,7 +428,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SV-204446r880851_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 57 groups and 156 rules | | Group
@@ -124,11 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -453,25 +453,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -499,20 +499,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 27 groups and 39 rules | Group
@@ -111,7 +111,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-204430r853885_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-204429r861003_rule | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-204429r861003_rule | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -255,7 +255,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r877463_rule | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, SV-204448r877463_rule | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html 2023-02-06 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 107 groups and 303 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r880848_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ sudo yum erase prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.5.4 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 96 groups and 239 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r880848_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ sudo yum erase prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.5.4 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 89 groups and 233 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r880848_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ sudo yum erase prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.5.4 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 104 groups and 300 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2, SV-204445r880848_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ sudo yum erase prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.5.4 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 102 rules | Group
@@ -145,7 +145,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -331,7 +331,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -508,7 +508,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -150,11 +150,30 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -230,7 +230,74 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-204497r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 46 groups and 94 rules | Group
@@ -147,7 +147,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -328,7 +328,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -450,7 +450,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -574,7 +574,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-204430r853885_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html 2023-02-06 00:00:00.000000000 +0000
@@ -83,7 +83,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 54 groups and 142 rules | Group
@@ -150,7 +150,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -336,7 +336,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -530,7 +530,69 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
+ Require Encryption for Remote Access in GNOME3
+ [ref] | By default, GNOME requires encryption when using Vino for remote access.
+To prevent remote access encryption from being disabled, add or set
+ require-encryption to true in
+ /etc/dconf/db/local.d/00-security-settings. For example:
+ [org/gnome/Vino]
+require-encryption=true
+
+Once the settings have been added, add a lock to
+ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+ /org/gnome/Vino/require-encryption
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html 2023-02-06 00:00:00.000000000 +0000
@@ -101,7 +101,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 105 groups and 385 rules | Group
@@ -168,7 +168,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -354,7 +354,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -531,7 +531,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -141,11 +141,30 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -221,7 +221,74 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-204497r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,7 +327,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -504,7 +504,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 377 rules | Group
@@ -143,7 +143,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -324,7 +324,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -446,7 +446,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 48 groups and 142 rules | Group
@@ -166,7 +166,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -347,7 +347,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -469,7 +469,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -623,7 +623,74 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-204497r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 38 groups and 68 rules | | Group
@@ -121,11 +121,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -277,7 +277,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure gpgcheck Enabled for All yum Package Repositories
[ref] | To ensure signature checking is not disabled for
@@ -373,7 +373,9 @@
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -452,7 +452,34 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | Group
@@ -143,7 +143,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,7 +329,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -523,7 +523,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -631,7 +631,34 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 103 groups and 274 rules | Group
@@ -152,7 +152,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -333,7 +333,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -455,7 +455,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:centos:centos:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 273 rules | Group
@@ -158,7 +158,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -339,7 +339,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -461,7 +461,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 173 rules | | Group
@@ -124,11 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -453,25 +453,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -499,20 +499,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 186 rules | | Group
@@ -124,11 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -291,7 +291,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -423,7 +423,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SV-230263r880708_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 57 groups and 161 rules | | Group
@@ -124,11 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -184,7 +184,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -453,25 +453,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -499,20 +499,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 27 groups and 44 rules | Group
@@ -111,7 +111,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-230272r854027_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -174,7 +174,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SV-230271r854026_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -242,11 +242,24 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,24 +279,7 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 113 groups and 325 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -445,7 +445,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 100 groups and 255 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -445,7 +445,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 95 groups and 250 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -445,7 +445,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 108 groups and 321 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -445,7 +445,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 106 rules | Group
@@ -145,7 +145,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -325,7 +325,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -499,7 +499,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 211 rules | | Group
@@ -134,11 +134,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -209,7 +209,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -297,7 +297,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r877398_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -434,11 +434,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | Group
@@ -147,7 +147,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -322,7 +322,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -441,7 +441,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -584,7 +584,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | Group
@@ -150,7 +150,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -330,7 +330,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -473,7 +473,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | Group
@@ -151,7 +151,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -326,7 +326,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -445,7 +445,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 211 rules | | Group
@@ -125,11 +125,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -200,7 +200,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -288,7 +288,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SV-230223r877398_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -425,11 +425,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 126 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -321,7 +321,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,7 +495,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 72 rules | | Group
@@ -121,11 +121,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -201,7 +201,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r877398_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -293,7 +293,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093, 5.2.14, SV-244526r877394_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -433,7 +433,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-230264r880711_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 29 groups and 57 rules | Group
@@ -143,7 +143,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -323,7 +323,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -491,7 +491,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 394 rules | | Group
@@ -129,11 +129,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -189,7 +189,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -295,81 +295,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r880722_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:centos:centos:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 102 groups and 391 rules | | Group
@@ -135,11 +135,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -195,7 +195,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -301,81 +301,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SV-230475r880722_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 62 groups and 164 rules | | Group
@@ -124,11 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -409,25 +409,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -454,20 +454,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 62 groups and 177 rules | | Group
@@ -124,11 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -286,7 +286,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -677,25 +677,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 57 groups and 152 rules | | Group
@@ -124,11 +124,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -409,25 +409,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -454,20 +454,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 27 groups and 44 rules | Group
@@ -111,7 +111,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -236,11 +236,24 @@
$ sudo dnf install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -355,7 +355,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.2 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 108 groups and 317 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -182,7 +182,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -440,7 +440,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 92 groups and 239 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -182,7 +182,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -440,7 +440,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 89 groups and 236 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -182,7 +182,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -440,7 +440,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 103 groups and 312 rules | | Group
@@ -123,11 +123,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -182,7 +182,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -440,7 +440,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -147,7 +147,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -280,11 +280,24 @@
$ sudo dnf install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -334,7 +334,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -425,7 +425,34 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 48 groups and 98 rules | Group
@@ -147,7 +147,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -322,7 +322,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -441,7 +441,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -584,7 +584,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | Group
@@ -150,7 +150,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -330,7 +330,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -473,7 +473,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 71 groups and 148 rules | Group
@@ -151,7 +151,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -326,7 +326,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -445,7 +445,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -137,7 +137,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -270,11 +270,24 @@
$ sudo dnf install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -324,7 +324,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -415,7 +415,34 @@
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -321,7 +321,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -494,7 +494,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 115 groups and 496 rules | | Group
@@ -130,11 +130,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,77 +189,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
- cpe:/o:centos:centos:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 113 groups and 491 rules | | Group
@@ -136,11 +136,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -195,77 +195,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:35
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Mail Server Software
- Network Time Protocol
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 62 groups and 206 rules | Group
@@ -139,7 +139,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -324,7 +324,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -501,7 +501,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:35
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 47 groups and 121 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -485,7 +485,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | Profile InformationCPE Platforms- cpe:/o:fedoraproject:fedora:35
- cpe:/o:fedoraproject:fedora:36
- cpe:/o:fedoraproject:fedora:37
- cpe:/o:fedoraproject:fedora:38
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Fedora
Group contains 39 groups and 76 rules | Group
@@ -133,7 +133,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -313,7 +313,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -443,7 +443,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -590,7 +590,45 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 61 groups and 162 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -404,25 +404,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -449,7 +449,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 61 groups and 176 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020030, SV-221708r853668_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -419,7 +419,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL07-00-020040, SV-221709r853669_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 57 groups and 152 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -404,25 +404,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -449,7 +449,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 27 groups and 39 rules | Group
@@ -102,7 +102,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r853731_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r860860_rule | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010340, SV-221692r860860_rule | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -246,7 +246,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r860861_rule | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020060, SV-221711r860862_rule | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
-has been provided by a trusted vendor.
-
-Accordingly, patches, service packs, device drivers, or operating system components must
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 2023-02-06 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 47 groups and 102 rules | Group
@@ -136,7 +136,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -322,7 +322,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -499,7 +499,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | | Group
@@ -141,11 +141,30 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -221,7 +221,74 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r860863_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 46 groups and 93 rules | Group
@@ -138,7 +138,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -319,7 +319,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -441,7 +441,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -565,7 +565,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL07-00-010350, SV-228569r853731_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 2023-02-06 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 54 groups and 142 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,7 +327,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -521,7 +521,69 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
+ Require Encryption for Remote Access in GNOME3
+ [ref] | By default, GNOME requires encryption when using Vino for remote access.
+To prevent remote access encryption from being disabled, add or set
+ require-encryption to true in
+ /etc/dconf/db/local.d/00-security-settings. For example:
+ [org/gnome/Vino]
+require-encryption=true
+
+Once the settings have been added, add a lock to
+ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+ /org/gnome/Vino/require-encryption
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 2023-02-06 00:00:00.000000000 +0000
@@ -91,7 +91,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 104 groups and 382 rules | Group
@@ -158,7 +158,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -344,7 +344,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -521,7 +521,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 51 groups and 104 rules | | Group
@@ -132,11 +132,30 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -212,7 +212,74 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL07-00-021350, SV-221758r860863_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 48 groups and 99 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -318,7 +318,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -495,7 +495,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 10 groups and 9 rules | | Group
@@ -94,11 +94,24 @@
$ sudo yum install glibc | | Rationale: | The glibc package contains standard C and math libraries used by
multiple programs on Linux. The glibc shipped with first release
of each major Linux version is often not sufficient for SAP.
-An update is required after the first OS installation. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | | Identifiers and References | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_glibc_installed | | Identifiers and References | | |
| Rule
Package uuidd Installed
[ref] | The package uuidd is not installed on normal Linux distribution
@@ -134,11 +134,24 @@
$ sudo yum install uuidd | | Rationale: | The uuidd package contains a userspace daemon (uuidd) which is
used to generate unique identifiers even at very high rates on
-SMP systems. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | | Identifiers and References | | | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_uuidd_installed | | Identifiers and References | | |
| Rule
Only sidadm and orasid/oracle User Accounts Exist on Operating System
[ref] | SAP tends to use the server or virtual machine exclusively. There should be only
@@ -318,7 +318,12 @@
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow | | Identifiers and References | References:
- BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| | Group
Services
Group contains 3 groups and 5 rules | [ref]
@@ -402,18 +402,7 @@
NIS maps. NIS generally has been replaced by such protocols as Lightweight
Directory Access Protocol (LDAP). It is recommended that the service be
removed. | | Severity: | unknown | | Rule ID: | xccdf_org.ssgproject.content_rule_package_ypbind_removed | | Identifiers and References | References:
- BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
Uninstall ypserv Package
[ref] | The ypserv package can be removed with the following command:
@@ -444,24 +444,7 @@
Removing the ypserv package decreases the risk of the accidental
(or intentional) activation of NIS or NIS+ services. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_package_ypserv_removed | | Identifiers and References | References:
- BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.4, SRG-OS-000095-GPOS-00049, OL07-00-020010, SV-221705r603260_rule | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 28 groups and 72 rules | Group
@@ -134,7 +134,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -320,7 +320,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -506,7 +506,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, OL07-00-020050, SV-221710r860861_rule | | |
| Rule
Ensure Oracle Linux GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software
@@ -665,7 +665,10 @@
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_security_patches_up_to_date | | Identifiers and References | References:
- BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, OL07-00-020260, SV-221720r603260_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 102 groups and 279 rules | Group
@@ -133,7 +133,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -314,7 +314,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -436,7 +436,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 7
Group contains 100 groups and 278 rules | Group
@@ -139,7 +139,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, OL07-00-010020, SV-221653r853660_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -320,7 +320,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -442,7 +442,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, OL07-00-010010, SV-221652r833014_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL07-00-020029, SV-251701r860890_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 61 groups and 170 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -404,25 +404,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -449,7 +449,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 61 groups and 184 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -282,7 +282,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -414,7 +414,35 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL08-00-010360, SV-248573r853752_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 57 groups and 160 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -175,7 +175,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -404,25 +404,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -449,7 +449,27 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 27 groups and 44 rules | Group
@@ -102,7 +102,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010381, SV-248582r853764_rule | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r860915_rule | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, OL08-00-010380, SV-248581r860915_rule | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -231,11 +231,24 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -268,24 +268,7 @@
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 49 groups and 105 rules | Group
@@ -136,7 +136,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -316,7 +316,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -490,7 +490,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 205 rules | | Group
@@ -125,11 +125,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -200,7 +200,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r853747_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -288,7 +288,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r853747_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -425,11 +425,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 48 groups and 95 rules | Group
@@ -138,7 +138,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -313,7 +313,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -432,7 +432,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -575,7 +575,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r853747_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 54 groups and 140 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -321,7 +321,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -464,7 +464,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r853747_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -536,7 +536,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093, OL08-00-010287, SV-248560r818614_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -648,7 +648,69 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 63 groups and 205 rules | | Group
@@ -116,11 +116,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -191,7 +191,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r853747_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -279,7 +279,33 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, OL08-00-010020, SV-248524r853747_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -416,11 +416,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 50 groups and 125 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -486,7 +486,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 29 groups and 78 rules | Group
@@ -134,7 +134,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -314,7 +314,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -482,7 +482,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r853747_rule | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -554,7 +554,10 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, OL08-00-010020, SV-248524r853747_rule | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -586,7 +586,18 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, SRG-OS-000033-GPOS-00014, OL08-00-010020, SV-248524r853747_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 106 groups and 403 rules | | Group
@@ -110,11 +110,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -170,7 +170,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -276,81 +276,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r833241_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 8
Group contains 104 groups and 401 rules | | Group
@@ -116,11 +116,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,7 +176,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r854183_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -282,81 +282,7 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r833241_rule | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 160 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -372,25 +372,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -417,20 +417,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 172 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -277,7 +277,24 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -640,25 +640,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 56 groups and 149 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -174,7 +174,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -372,25 +372,7 @@
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -417,20 +417,7 @@
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | References:
- BP28(R58) | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 26 groups and 42 rules | Group
@@ -102,7 +102,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -227,11 +227,24 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -346,7 +346,39 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | | |
| | | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -199,7 +199,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -332,11 +332,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -411,7 +411,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 45 groups and 96 rules | Group
@@ -138,7 +138,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -313,7 +313,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -432,7 +432,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -575,7 +575,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 52 groups and 135 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -321,7 +321,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -464,7 +464,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -534,7 +534,11 @@
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093 | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -645,7 +645,69 @@
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 60 groups and 184 rules | | Group
@@ -115,11 +115,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -189,7 +189,19 @@
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -322,11 +322,24 @@
$ sudo yum install crypto-policies | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure BIND to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -401,7 +401,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 49 groups and 123 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -485,7 +485,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 29 groups and 78 rules | Group
@@ -134,7 +134,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -314,7 +314,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -482,7 +482,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure Kerberos to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -552,7 +552,10 @@
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. | | Rationale: | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy | | Identifiers and References | References:
- 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 | | |
| Rule
Configure Libreswan to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -583,7 +583,18 @@
include /etc/crypto-policies/back-ends/libreswan.config | | Rationale: | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy | | Identifiers and References | References:
- CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, SRG-OS-000033-GPOS-00014 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 105 groups and 358 rules | | Group
@@ -111,11 +111,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -170,7 +170,68 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Hardware RNG Entropy Gatherer Daemon
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Oracle Linux 9
Group contains 103 groups and 357 rules | | Group
@@ -117,11 +117,30 @@
[ref] | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -176,7 +176,68 @@
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 43 groups and 90 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 2023-02-06 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 43 groups and 94 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 2023-02-06 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Mail Server Software
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 40 groups and 82 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 2023-02-06 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- Services
- Mail Server Software
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 10 groups and 7 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 2023-02-06 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- File Permissions and Masks
- SELinux
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 23 groups and 51 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 2023-02-06 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 242 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 2023-02-06 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 2023-02-06 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux_coreos:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
Group contains 52 groups and 241 rules | Group
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 2023-02-06 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Base Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 234 rules | Group
@@ -120,11 +120,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -183,7 +183,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r880848_rule | | |
| Rule
Disable Prelinking
[ref] | The prelinking feature changes binaries in an attempt to decrease their startup
@@ -317,7 +317,22 @@
$ sudo /usr/sbin/prelink -ua | | Rationale: | Because the prelinking feature changes binaries, it can interfere with the
operation of certain software and/or modes such as AIDE, FIPS, etc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_disable_prelink | | Identifiers and References | Identifiers:
CCE-27078-5 References:
- 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, CM-6(a), PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, 1.5.4 | | |
| | Group
Disk Partitioning
Group contains 6 rules | [ref]
@@ -554,7 +554,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r877463_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 61 groups and 166 rules | Group
@@ -116,11 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -462,11 +462,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82213-0 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -510,21 +510,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83819-3 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 61 groups and 180 rules | Group
@@ -116,11 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r880848_rule | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -433,7 +433,35 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-80374-2 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020040, SV-204446r880851_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 57 groups and 156 rules | Group
@@ -116,11 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -462,11 +462,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82213-0 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.2.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -510,21 +510,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83819-3 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 27 groups and 39 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r853885_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -167,7 +167,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-80351-0 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010340, SV-204429r861003_rule | | |
| | Group
Updating Software
Group contains 5 rules | [ref]
@@ -253,7 +253,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r877463_rule | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | yum should be configured to verify the signature(s) of local packages
+prior to installation. To configure yum to verify signatures of local
+packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
+of the operating system. This requirement ensures the software has not been tampered and
+has been provided by a trusted vendor.
+
+Accordingly, patches, service packs, device drivers, or operating system components must
+be signed with a certificate recognized and approved by the organization. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages | | Identifiers and References | Identifiers:
+ CCE-80347-8 References:
+ BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020060, SV-204448r877463_rule | |
| Rule
- Ensure gpgcheck Enabled for Local Packages
- [ref] | yum should be configured to verify the signature(s) of local packages
-prior to installation. To configure yum to verify signatures of local
-packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.
| | Rationale: | Changes to any software components can have significant effects to the overall security
-of the operating system. This requirement ensures the software has not been tampered and
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 107 groups and 303 rules | Group
@@ -115,11 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,7 +289,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r880848_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -420,7 +420,27 @@
$ sudo yum erase prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | Identifiers:
CCE-86562-6 References:
- 1.5.4 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 96 groups and 239 rules | Group
@@ -115,11 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,7 +289,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r880848_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -420,7 +420,27 @@
$ sudo yum erase prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | Identifiers:
CCE-86562-6 References:
- 1.5.4 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 89 groups and 233 rules | Group
@@ -115,11 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,7 +289,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r880848_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -420,7 +420,27 @@
$ sudo yum erase prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | Identifiers:
CCE-86562-6 References:
- 1.5.4 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 104 groups and 300 rules | Group
@@ -115,11 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,7 +289,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-26952-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-07-020030, 1.3.2, SV-204445r880848_rule | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
@@ -420,7 +420,27 @@
$ sudo yum erase prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | Identifiers:
CCE-86562-6 References:
- 1.5.4 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 102 rules | | Group
@@ -137,7 +137,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -330,7 +330,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -451,11 +451,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -513,7 +513,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -142,11 +142,30 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | Identifiers:
CCE-80358-5 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -224,7 +224,74 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 46 groups and 94 rules | | Group
@@ -139,7 +139,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -327,7 +327,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -453,7 +453,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Sudo
Group contains 3 rules | [ref]
@@ -581,7 +581,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-80350-2 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-07-010350, SV-204430r853885_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 54 groups and 142 rules | | Group
@@ -142,7 +142,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -335,7 +335,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Disk Partitioning
Group contains 1 rule | [ref]
@@ -534,7 +534,69 @@
After the settings have been set, run dconf update. | | Rationale: | Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt | | Identifiers and References | Identifiers:
CCE-80120-9 References:
- 3.1.12, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | | |
| Rule
+ Require Encryption for Remote Access in GNOME3
+ [ref] | By default, GNOME requires encryption when using Vino for remote access.
+To prevent remote access encryption from being disabled, add or set
+ require-encryption to true in
+ /etc/dconf/db/local.d/00-security-settings. For example:
+ [org/gnome/Vino]
+require-encryption=true
+
+Once the settings have been added, add a lock to
+ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+ /org/gnome/Vino/require-encryption
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 2023-02-06 00:00:00.000000000 +0000
@@ -92,7 +92,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 105 groups and 385 rules | | Group
@@ -160,7 +160,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -353,7 +353,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -474,11 +474,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -536,7 +536,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- NFS and RPC
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 50 groups and 103 rules | | Group
@@ -133,11 +133,30 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dracut-fips_installed | | Identifiers and References | Identifiers:
CCE-80358-5 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-002450, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode in GRUB2
[ref] | To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:
@@ -215,7 +215,74 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -326,7 +326,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -447,11 +447,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -509,7 +509,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-27220-3 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 100 groups and 377 rules | | Group
@@ -135,7 +135,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -323,7 +323,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -449,7 +449,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -570,11 +570,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 48 groups and 142 rules | | Group
@@ -158,7 +158,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -346,7 +346,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -472,7 +472,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -630,7 +630,74 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80359-3 References:
- 12, 15, 8, 5.10.1.2, APO13.01, DSS01.04, DSS05.02, DSS05.03, 3.13.8, 3.13.11, CCI-000068, CCI-000803, CCI-001199, CCI-002450, CCI-002476, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, PR.AC-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-07-021350, SV-204497r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 38 groups and 68 rules | Group
@@ -113,11 +113,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -275,7 +275,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure gpgcheck Enabled for All yum Package Repositories
[ref] | To ensure signature checking is not disabled for
@@ -374,7 +374,9 @@
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled | | Identifiers and References | Identifiers:
CCE-26876-3 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -456,7 +456,34 @@
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | Identifiers:
CCE-26957-1 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | | Group
@@ -135,7 +135,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -328,7 +328,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -528,7 +528,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-26989-4 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-07-020050, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -639,7 +639,34 @@
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | Identifiers:
CCE-26957-1 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 103 groups and 274 rules | | Group
@@ -144,7 +144,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -332,7 +332,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -458,7 +458,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -579,11 +579,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SNMP Server
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 101 groups and 273 rules | | Group
@@ -150,7 +150,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-27157-7 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, RHEL-07-010020, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -338,7 +338,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-80545-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -464,7 +464,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-27209-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, RHEL-07-010010, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | [ref]
@@ -585,11 +585,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-27096-7 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-07-020029, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 173 rules | Group
@@ -116,11 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -462,11 +462,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82214-8 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -510,21 +510,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83820-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 186 rules | Group
@@ -116,11 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -290,7 +290,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -428,7 +428,35 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_scan_notification | | Identifiers and References | Identifiers:
CCE-82891-3 References:
- BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r880708_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 57 groups and 161 rules | Group
@@ -116,11 +116,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -178,7 +178,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| | Group
Disk Partitioning
Group contains 10 rules | [ref]
@@ -462,11 +462,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-82214-8 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure sudo Runs In A Minimal Environment - sudo env_reset
[ref] | The sudo env_reset tag, when specified, will run the command in a minimal environment,
@@ -510,21 +510,7 @@
in /etc/sudoers.d/. | | Rationale: | Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_env_reset | | Identifiers and References | Identifiers:
CCE-83820-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 27 groups and 44 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-82202-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010381, SV-230272r854027_rule | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -169,7 +169,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-82197-5 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010380, SV-230271r854026_rule | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -240,11 +240,24 @@
$ sudo yum install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-82985-3 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -279,25 +279,7 @@
The automated installation of updates ensures that recent security patches
are applied in a timely manner. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates | | Identifiers and References | Identifiers:
CCE-82494-6 References:
- BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | | |
| Rule
- Configure dnf-automatic to Install Only Security Updates
- [ref] | To configure dnf-automatic to install only security updates
-automatically, set upgrade_type to security under
-[commands] section in /etc/dnf/automatic.conf. | | Rationale: | By default, dnf-automatic installs all available updates.
-Reducing the amount of updated packages only to updates that were
-issued as a part of a security advisory increases the system stability. | | Severity: | low | | Rule ID: | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only | | Identifiers and References | Identifiers:
- CCE-82267-6 References:
- BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 113 groups and 325 rules | Group
@@ -115,11 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,7 +289,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -450,7 +450,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 100 groups and 255 rules | Group
@@ -115,11 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,7 +289,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -450,7 +450,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 95 groups and 250 rules | Group
@@ -115,11 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,7 +289,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -450,7 +450,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 108 groups and 321 rules | Group
@@ -115,11 +115,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -289,7 +289,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-80676-0 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -450,7 +450,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 106 rules | | Group
@@ -137,7 +137,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -324,7 +324,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -442,11 +442,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -504,7 +504,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 211 rules | Group
@@ -126,11 +126,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -203,7 +203,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -295,7 +295,33 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r877398_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -437,11 +437,24 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-82723-8 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 48 groups and 98 rules | | Group
@@ -139,7 +139,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -321,7 +321,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -444,7 +444,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -591,7 +591,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 54 groups and 137 rules | | Group
@@ -142,7 +142,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,7 +329,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -476,7 +476,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 71 groups and 151 rules | | Group
@@ -143,7 +143,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -325,7 +325,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-82196-7 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -448,7 +448,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -566,11 +566,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 62 groups and 211 rules | Group
@@ -117,11 +117,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 2 rules | [ref]
@@ -194,7 +194,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-82155-3 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r877398_rule | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -286,7 +286,33 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_fips_mode | | Identifiers and References | Identifiers:
CCE-80942-6 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r877398_rule | | |
| | Group
System Cryptographic Policies
Group contains 8 rules | [ref]
@@ -428,11 +428,24 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-82723-8 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 49 groups and 126 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -320,7 +320,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -438,11 +438,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -500,7 +500,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 39 groups and 72 rules | Group
@@ -113,11 +113,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -195,7 +195,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule | | |
| Rule
Configure SSH to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -290,7 +290,11 @@
in the /etc/sysconfig/sshd. | | Rationale: | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy | | Identifiers and References | Identifiers:
CCE-80939-2 References:
- CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule | | |
| | Group
Disk Partitioning
Group contains 4 rules | [ref]
@@ -436,7 +436,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-80790-9 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-08-010370, 1.2.3, SV-230264r880711_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 29 groups and 57 rules | | Group
@@ -135,7 +135,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-80857-6 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -322,7 +322,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-80858-4 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.8.1.4, 1.8.1.5, 1.8.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9 | | |
| | Group
System Cryptographic Policies
Group contains 6 rules | [ref]
@@ -495,7 +495,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-80935-0 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r877398_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 104 groups and 394 rules | Group
@@ -121,11 +121,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -183,7 +183,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -294,7 +294,82 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.10
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- FTP Server
- Kerberos
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Group contains 102 groups and 391 rules | Group
@@ -127,11 +127,30 @@
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-80844-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -189,7 +189,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-80675-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -300,7 +300,82 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-85964-5 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 62 groups and 164 rules | Group
@@ -116,11 +116,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -415,11 +415,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -462,21 +462,7 @@
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | Identifiers:
CCE-83537-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 62 groups and 177 rules | Group
@@ -116,11 +116,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -285,7 +285,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Configure Notification of Post-AIDE Scan Details
[ref] | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
@@ -692,11 +692,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- DHCP
- Mail Server Software
- Network Time Protocol
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 57 groups and 152 rules | Group
@@ -116,11 +116,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -177,7 +177,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| | Group
Disk Partitioning
Group contains 7 rules | [ref]
@@ -415,11 +415,30 @@
is to give as few privileges as possible but still allow system users to
get their work done. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_sudo_installed | | Identifiers and References | Identifiers:
CCE-83523-1 References:
- BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, Req-10.2.1.5, SRG-OS-000324-GPOS-00125, 5.3.1 | | |
| Rule
Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
[ref] | The sudo NOEXEC tag, when specified, prevents user executed
@@ -462,21 +462,7 @@
in /etc/sudoers.d/. | | Rationale: | Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_add_noexec | | Identifiers and References | Identifiers:
CCE-83537-1 References:
- BP28(R58) | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- Configure Syslog
- File Permissions and Masks
- Services
- DHCP
- Mail Server Software
- Obsolete Services
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 27 groups and 44 rules | | Group
@@ -103,7 +103,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | Identifiers:
CCE-83544-7 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
[ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | Identifiers:
CCE-83536-3 References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| | Group
Updating Software
Group contains 9 rules | [ref]
@@ -234,11 +234,24 @@
$ sudo dnf install dnf-automatic | | Rationale: | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
| | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed | | Identifiers and References | Identifiers:
CCE-83454-9 References:
- BP28(R8), SRG-OS-000191-GPOS-00080 | | |
| Rule
Configure dnf-automatic to Install Available Updates Automatically
[ref] | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. | | Rationale: | Installing software updates is a fundamental mitigation against
@@ -357,7 +357,40 @@
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | Identifiers:
CCE-83457-2 References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.2 | | |
| Rule
+ Ensure gpgcheck Enabled for Local Packages
+ [ref] | dnf should be configured to verify the signature(s) of local packages
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html 2023-02-06 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 108 groups and 317 rules | Group
@@ -115,11 +115,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,7 +176,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -284,7 +284,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -445,7 +445,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 92 groups and 239 rules | Group
@@ -115,11 +115,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,7 +176,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -284,7 +284,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -445,7 +445,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 89 groups and 236 rules | Group
@@ -115,11 +115,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,7 +176,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -284,7 +284,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -445,7 +445,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Cron and At Daemons
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 103 groups and 312 rules | Group
@@ -115,11 +115,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -176,7 +176,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -284,7 +284,24 @@
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | Identifiers:
CCE-83437-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -445,7 +445,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -139,7 +139,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -277,11 +277,24 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-83442-4 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -333,7 +333,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -427,7 +427,34 @@
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-83452-3 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Obsolete Services
- Proxy Server
- Network Routing
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 48 groups and 98 rules | | Group
@@ -139,7 +139,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -321,7 +321,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -444,7 +444,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -591,7 +591,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- NFS and RPC
- Obsolete Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 52 groups and 135 rules | | Group
@@ -142,7 +142,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,7 +329,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| | Group
System Cryptographic Policies
Group contains 2 rules | [ref]
@@ -476,7 +476,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Avahi Server
- Application Whitelisting Daemon
- Network Time Protocol
- Obsolete Services
- Proxy Server
- Network Routing
- SNMP Server
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 71 groups and 148 rules | | Group
@@ -143,7 +143,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -325,7 +325,28 @@
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | Identifiers:
CCE-90842-6 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -448,7 +448,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| | Group
Verify Integrity with AIDE
Group contains 1 rule | [ref]
@@ -566,11 +566,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- zIPL bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Application Whitelisting Daemon
- Network Time Protocol
- SSH Server
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 46 groups and 144 rules | | Group
@@ -129,7 +129,19 @@
standards approved by the federal government since this provides assurance they have been tested
and validated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module | | Identifiers and References | Identifiers:
CCE-86547-7 References:
- CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | | |
| Rule
Enable FIPS Mode
[ref] | To enable FIPS mode, run the following command:
@@ -267,11 +267,24 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed | | Identifiers and References | Identifiers:
CCE-83442-4 References:
- FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | |
| Rule
Configure System Cryptography Policy
[ref] | To configure the system cryptography policy to use ciphers only from the FIPS:OSPP
@@ -323,7 +323,45 @@
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | Identifiers:
CCE-83450-7 References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10 | | |
| Rule
Configure OpenSSL library to use System Crypto Policy
[ref] | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -417,7 +417,34 @@
if there is a [ crypto_policy ] section that contains the .include = /etc/crypto-policies/back-ends/opensslcnf.config directive. | | Rationale: | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy | | Identifiers and References | Identifiers:
CCE-83452-3 References:
- CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, SRG-OS-000250-GPOS-00093 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 49 groups and 123 rules | | Group
@@ -133,7 +133,16 @@
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | Identifiers:
CCE-90841-8 References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -320,7 +320,32 @@
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | Identifiers:
CCE-90840-0 References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.15 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | [ref]
@@ -438,11 +438,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -499,7 +499,20 @@
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | Identifiers:
CCE-83438-2 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 115 groups and 496 rules | Group
@@ -122,11 +122,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -183,81 +183,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:9
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- Application Whitelisting Daemon
- FTP Server
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- USBGuard daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
Group contains 113 groups and 491 rules | Group
@@ -128,11 +128,30 @@
$ sudo dnf install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | Identifiers:
CCE-90843-4 References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -189,81 +189,7 @@
manipulated, or replaced. An example is a checksum hash of the file or
files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_check_audit_tools | | Identifiers and References | Identifiers:
CCE-87757-1 References:
- CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 45 groups and 116 rules | Group
@@ -132,7 +132,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -312,7 +312,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -485,7 +485,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- Base Services
- Cron and At Daemons
- FTP Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Network Routing
- SSH Server
- System Security Services Daemon
- X Window System
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 101 groups and 375 rules | Group
@@ -133,7 +133,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -308,7 +308,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -427,7 +427,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Verify Integrity with AIDE
Group contains 7 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:8::hypervisor
- cpe:/a:redhat:enterprise_virtualization_manager:4
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Network Configuration and Firewalls
- File Permissions and Masks
- SELinux
- Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Red Hat Virtualization 4
Group contains 49 groups and 144 rules | Group
@@ -157,7 +157,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify and Correct Ownership with RPM
[ref] | The RPM package management system can check file ownership
@@ -332,7 +332,28 @@
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_ownership | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001494, CCI-001496, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -451,7 +451,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -674,7 +674,25 @@
submits to this process. | | Rationale: | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_configure_crypto_policy | | Identifiers and References | References:
- 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 47 groups and 96 rules | Group
@@ -141,7 +141,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -327,7 +327,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Verify Integrity with AIDE
Group contains 3 rules | | The aide package can be installed with the following command:
$ sudo yum install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -504,7 +504,20 @@
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1, SV-251705r880854_rule | | Profile InformationCPE Platforms- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
- cpe:/o:redhat:enterprise_linux:7::server
- cpe:/o:redhat:enterprise_linux:7::workstation
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:scientificlinux:scientificlinux:7
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Base Services
- Cron and At Daemons
Checklist| Group
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
Group contains 28 groups and 51 rules | Group
@@ -143,7 +143,16 @@
$ sudo rpm -Uvh PACKAGENAME | | Rationale: | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_hashes | | Identifiers and References | References:
- 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227, 6.1.1, SV-214799r854001_rule | | |
| Rule
Verify and Correct File Permissions with RPM
[ref] | The RPM package management system can check file access permissions
@@ -329,7 +329,32 @@
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_rpm_verify_permissions | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 1.7.1.4, 1.7.1.5, 1.7.1.6, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, SV-204392r880752_rule | | |
| | Group
Disk Partitioning
Group contains 2 rules | [ref]
@@ -523,7 +523,40 @@
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, SV-204447r877463_rule | | |
| Rule
Ensure Red Hat GPG Key Installed
[ref] | To ensure the system can cryptographically verify base software packages
@@ -631,7 +631,34 @@
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat. | | Severity: | high | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | | Identifiers and References | References:
- BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3 | | Remediation Shell script ⇲# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
+readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -45,22 +45,18 @@
| BP28(R1) |
- Uninstall rsh Package |
+ Uninstall DHCP Server Package |
-
-The rsh package contains the client commands
+ If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
-for the rsh services
+The dhcp package can be removed with the following command:
+
+$ sudo yum erase dhcp
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
|
@@ -77,32 +73,32 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
+ BP28(R1) |
+ Uninstall talk-server Package |
- The telnet daemon should be uninstalled.
+ The talk-server package can be removed with the following command: $ sudo yum erase talk-server
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk-server package decreases the
+risk of the accidental (or intentional) activation of talk services.
|
| BP28(R1) |
- Uninstall rsh-server Package |
+ Remove NIS Client |
- The rsh-server package can be removed with the following command:
-
-$ sudo yum erase rsh-server
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
@@ -123,6 +119,38 @@
| BP28(R1) |
+ Uninstall talk Package |
+
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
+ |
+
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
+ |
+
+
+ | BP28(R1) |
+ Remove telnet Clients |
+
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 7.
+ |
+
+
+ | BP28(R1) |
Uninstall tftp-server Package |
The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
@@ -139,19 +167,22 @@
|
| BP28(R1) |
- Remove NIS Client |
+ Uninstall rsh Package |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+
+The rsh package contains the client commands
+
+for the rsh services
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
|
@@ -172,49 +203,47 @@
- | BP28(R1) |
- Uninstall talk-server Package |
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
- The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+ The telnet daemon should be uninstalled.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
|
| BP28(R1) |
- Uninstall talk Package |
+ Remove tftp Daemon |
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
+ Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+tftp is a client program that allows for connections to a tftp server.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+ It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
|
/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,37 +44,45 @@
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Verify Only Root Has UID 0 |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
|
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ 3.1.1
3.1.5 |
+ Disable SSH Root Login |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
|
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
|
@@ -112,21 +120,6 @@
- 3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
- To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
- Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
3.1.1
3.1.6 |
Direct root Logins Not Allowed |
@@ -153,6 +146,40 @@
|
+ | 3.1.1 |
+ Disable GDM Guest Login |
+
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
+ | 3.1.1 |
+ Disable GDM Automatic Login |
+
+ The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the AutomaticLoginEnable to false in the
+[daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+AutomaticLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
3.1.1
3.1.5 |
Prevent Login to Accounts With Empty Password |
@@ -174,27 +201,6 @@
|
3.1.1
3.1.5 |
- Verify Only Root Has UID 0 |
-
- If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
- |
-
- An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
- |
-
-
- 3.1.1
3.1.5 |
Disable SSH Access via Empty Passwords |
Disallow SSH login with empty passwords.
@@ -220,82 +226,71 @@
|
3.1.1
3.1.5 |
- Disable SSH Root Login |
+ Restrict Serial Port Root Logins |
- The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
- | 3.1.1 |
- Disable GDM Automatic Login |
+ 3.1.1
3.4.5 |
+ Require Authentication for Emergency Systemd Target |
- The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,107 +44,177 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Events that Modify the System's Network Environment |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Creation Attempts to Files - open O_CREAT |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+ The audit system should collect unauthorized file accesses for
+all users and root. The open syscall can be used to create new files
+when O_CREAT flag is specified.
+
+The following auidt rules will asure that unsuccessful attempts to create a
+file via open syscall are collected.
+
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
|
- The network environment should not be modified by anything other
-than administrator action. Any change to network parameters should be
-audited.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record attempts to alter time through settimeofday |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Events that Modify the System's Mandatory Access Controls |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
-The -k option allows for the specification of a key in string form that can be
-used for better reporting capability through ausearch and aureport. Multiple
-system calls can be defined on the same line to save space if desired, but is
-not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ The system's mandatory access policy (SELinux) should not be
+arbitrarily changed by anything other than administrator action. All changes to
+MAC policy should be audited.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fchmodat |
+ Record Unsuccessful Delete Attempts to Files - unlink |
- The audit system should collect unsuccessful file permission change
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+ |
+
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
+ |
+
+
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Ownership Changes to Files - lchown |
+
+ The audit system should collect unsuccessful file ownership change
attempts for all users and root.
+
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
+-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
|
+ IA-2
AC-6(5)
IA-4(b) |
+ Verify Only Root Has UID 0 |
+
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+ |
+
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
+ |
+
+
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
+ Ensure auditd Collects File Deletion Events by User - unlink |
+
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
|
AGD_PRE.1
AGD_OPE.1 |
+ Install openscap-scanner Package |
+
+ The openscap-scanner package can be installed with the following command:
+
+$ sudo yum install openscap-scanner
+ |
+
+ openscap-scanner contains the oscap command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
+ |
+
+
+ AGD_PRE.1
AGD_OPE.1 |
Install scap-security-guide Package |
The scap-security-guide package can be installed with the following command:
@@ -64,27 +78,24 @@
|
- AGD_PRE.1
AGD_OPE.1 |
- Install openscap-scanner Package |
-
- The openscap-scanner package can be installed with the following command:
-
-$ sudo yum install openscap-scanner
- |
-
- openscap-scanner contains the oscap command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
- |
-
-
| FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
- The audit package should be installed.
+ To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
- The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
@@ -110,23 +121,25 @@
| FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Ensure the audit Subsystem is Installed |
- To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ The audit package should be installed.
|
- Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ |
+
+
+ | FAU_GEN.1 |
+ Include Local Events in Audit Logs |
+
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
+ |
+
+ If option local_events isn't set to yes only events from
+network will be aggregated.
|
@@ -166,235 +179,59 @@
- | FAU_GEN.1 |
- Include Local Events in Audit Logs |
-
- To configure Audit daemon to include local events in Audit logs, set
-local_events to yes in /etc/audit/auditd.conf.
-This is the default setting.
- |
-
- If option local_events isn't set to yes only events from
-network will be aggregated.
- |
-
-
| FAU_GEN.1.1.c |
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
+ Record Events that Modify User/Group Information via open syscall - /etc/shadow |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
+ The audit system should collect write events to /etc/shadow file for all users and root.
+If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
+utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.
|
| FAU_GEN.1.1.c |
- Record Unsuccessful Access Attempts to Files - truncate |
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
+ The audit system should collect write events to /etc/gshadow file for all users and root.
+If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- |
-
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- | FAU_GEN.1.1.c |
- Record Any Attempts to Run setsebool |
-
- At a minimum, the audit system should collect any execution attempt
-of the setsebool command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -117,6 +117,22 @@
|
| Req-1.4.1 |
+ Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
+
+ To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
+ |
+
+ A TCP SYN flood attack can cause a denial of service by filling a
+system's TCP connection table with connections in the SYN_RCVD state.
+Syncookies can be used to track a connection when a subsequent ACK is received,
+verifying the initiator is attempting a valid connection and is not a flood
+source. This feature is activated when a flood condition is detected, and
+enables the system to continue servicing valid connection requests.
+ |
+
+
+ | Req-1.4.1 |
Set configuration for IPv6 loopback traffic |
Configure the loopback interface to accept traffic.
@@ -147,22 +163,6 @@
|
| Req-1.4.1 |
- Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
-
- To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
- |
-
- A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.
- |
-
-
- | Req-1.4.1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
@@ -242,6 +242,22 @@
|
| Req-1.4.3 |
+ Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
+ |
+
+ ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
+ |
+
+
+ | Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -257,6 +273,21 @@
|
| Req-1.4.3 |
+ Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
+ |
+
+ Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
+ |
+
+
+ | Req-1.4.3 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
@@ -288,37 +319,6 @@
|
| Req-1.4.3 |
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
- |
-
- ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
- |
-
-
- | Req-1.4.3 |
- Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
- |
-
- Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
- |
-
-
- | Req-1.4.3 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
@@ -331,16 +331,24 @@
|
| Req-2.2.1 |
- Enable NX or XD Support in the BIOS |
+ Install PAE Kernel on Supported 32-bit x86 Systems |
- Reboot the system and enter the BIOS or Setup configuration menu.
-Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
-under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
-on AMD-based systems.
+ Systems that are using the 64-bit x86 kernel package
+do not need to install the kernel-PAE package because the 64-bit
+x86 kernel already includes this support. However, if the system is
+32-bit and also supports the PAE and NX features as
+determined in the previous section, the kernel-PAE package should
+be installed to enable XD or NX support.
+The kernel-PAE package can be installed with the following command:
+
+$ sudo yum install kernel-PAE
+The installation process should also have configured the
+bootloader to load the new kernel at boot. Verify this after reboot
+and modify /etc/default/grub if necessary.
|
- Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
-allow users to turn the feature on or off at will.
+ On 32-bit systems that support the XD or NX bit, the vendor-supplied
+PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
|
@@ -361,24 +369,27 @@
| Req-2.2.1 |
- Install PAE Kernel on Supported 32-bit x86 Systems |
+ Enable NX or XD Support in the BIOS |
- Systems that are using the 64-bit x86 kernel package
-do not need to install the kernel-PAE package because the 64-bit
-x86 kernel already includes this support. However, if the system is
-32-bit and also supports the PAE and NX features as
-determined in the previous section, the kernel-PAE package should
-be installed to enable XD or NX support.
-The kernel-PAE package can be installed with the following command:
-
-$ sudo yum install kernel-PAE
-The installation process should also have configured the
-bootloader to load the new kernel at boot. Verify this after reboot
-and modify /etc/default/grub if necessary.
+ Reboot the system and enter the BIOS or Setup configuration menu.
+Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
+under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
+on AMD-based systems.
|
- On 32-bit systems that support the XD or NX bit, the vendor-supplied
-PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
+ Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
+allow users to turn the feature on or off at will.
+ |
+
+
+ | Req-2.2.4 |
+ Uninstall vsftpd Package |
+
+ The vsftpd package can be removed with the following command: $ sudo yum erase vsftpd
+ |
/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -45,22 +45,18 @@
| BP28(R1) |
- Uninstall rsh Package |
+ Uninstall DHCP Server Package |
-
-The rsh package contains the client commands
+ If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
-for the rsh services
+The dhcp-server package can be removed with the following command:
+
+$ sudo yum erase dhcp-server
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
|
@@ -77,32 +73,32 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
+ BP28(R1) |
+ Uninstall talk-server Package |
- The telnet daemon should be uninstalled.
+ The talk-server package can be removed with the following command: $ sudo yum erase talk-server
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk-server package decreases the
+risk of the accidental (or intentional) activation of talk services.
|
| BP28(R1) |
- Uninstall rsh-server Package |
+ Remove NIS Client |
- The rsh-server package can be removed with the following command:
-
-$ sudo yum erase rsh-server
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
@@ -123,6 +119,38 @@
| BP28(R1) |
+ Uninstall talk Package |
+
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
+ |
+
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
+ |
+
+
+ | BP28(R1) |
+ Remove telnet Clients |
+
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Oracle Linux 8.
+ |
+
+
+ | BP28(R1) |
Uninstall tftp-server Package |
The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
@@ -139,19 +167,22 @@
|
| BP28(R1) |
- Remove NIS Client |
+ Uninstall rsh Package |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+
+The rsh package contains the client commands
+
+for the rsh services
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
|
@@ -172,49 +203,47 @@
- | BP28(R1) |
- Uninstall talk-server Package |
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
- The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+ The telnet daemon should be uninstalled.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
|
| BP28(R1) |
- Uninstall talk Package |
+ Remove tftp Daemon |
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
+ Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+tftp is a client program that allows for connections to a tftp server.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+ It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
|
/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,37 +44,45 @@
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Verify Only Root Has UID 0 |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
|
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ 3.1.1
3.1.5 |
+ Disable SSH Root Login |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
|
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
|
@@ -112,21 +120,6 @@
- 3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
- To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
- Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
3.1.1
3.1.6 |
Direct root Logins Not Allowed |
@@ -153,6 +146,40 @@
|
+ | 3.1.1 |
+ Disable GDM Guest Login |
+
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
+ | 3.1.1 |
+ Disable GDM Automatic Login |
+
+ The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the AutomaticLoginEnable to false in the
+[daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+AutomaticLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
3.1.1
3.1.5 |
Prevent Login to Accounts With Empty Password |
@@ -174,27 +201,6 @@
|
3.1.1
3.1.5 |
- Verify Only Root Has UID 0 |
-
- If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
- |
-
- An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
- |
-
-
- 3.1.1
3.1.5 |
Disable SSH Access via Empty Passwords |
Disallow SSH login with empty passwords.
@@ -220,82 +226,71 @@
|
3.1.1
3.1.5 |
- Disable SSH Root Login |
+ Restrict Serial Port Root Logins |
- The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
- | 3.1.1 |
- Disable GDM Automatic Login |
+ 3.1.1
3.4.5 |
+ Require Authentication for Emergency Systemd Target |
- The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,111 +44,177 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Events that Modify the System's Network Environment |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Creation Attempts to Files - open O_CREAT |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+ The audit system should collect unauthorized file accesses for
+all users and root. The open syscall can be used to create new files
+when O_CREAT flag is specified.
+
+The following auidt rules will asure that unsuccessful attempts to create a
+file via open syscall are collected.
+
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
|
- The network environment should not be modified by anything other
-than administrator action. Any change to network parameters should be
-audited.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record attempts to alter time through settimeofday |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Events that Modify the System's Mandatory Access Controls |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
-The -k option allows for the specification of a key in string form that can be
-used for better reporting capability through ausearch and aureport. Multiple
-system calls can be defined on the same line to save space if desired, but is
-not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ The system's mandatory access policy (SELinux) should not be
+arbitrarily changed by anything other than administrator action. All changes to
+MAC policy should be audited.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fchmodat |
+ Record Unsuccessful Delete Attempts to Files - unlink |
- The audit system should collect unsuccessful file permission change
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+ |
+
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
+ |
+
+
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Ownership Changes to Files - lchown |
+
+ The audit system should collect unsuccessful file ownership change
attempts for all users and root.
+
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
+-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
|
+ IA-2
AC-6(5)
IA-4(b) |
+ Verify Only Root Has UID 0 |
+
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+ |
+
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
+ |
+
+
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
+ Ensure auditd Collects File Deletion Events by User - unlink |
+
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -117,6 +117,22 @@
|
| Req-1.4.1 |
+ Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
+
+ To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
+ |
+
+ A TCP SYN flood attack can cause a denial of service by filling a
+system's TCP connection table with connections in the SYN_RCVD state.
+Syncookies can be used to track a connection when a subsequent ACK is received,
+verifying the initiator is attempting a valid connection and is not a flood
+source. This feature is activated when a flood condition is detected, and
+enables the system to continue servicing valid connection requests.
+ |
+
+
+ | Req-1.4.1 |
Set configuration for IPv6 loopback traffic |
Configure the loopback interface to accept traffic.
@@ -147,22 +163,6 @@
|
| Req-1.4.1 |
- Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
-
- To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
- |
-
- A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.
- |
-
-
- | Req-1.4.1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
@@ -242,6 +242,22 @@
|
| Req-1.4.3 |
+ Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
+ |
+
+ ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
+ |
+
+
+ | Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -257,6 +273,21 @@
|
| Req-1.4.3 |
+ Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
+ |
+
+ Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
+ |
+
+
+ | Req-1.4.3 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
@@ -288,37 +319,6 @@
|
| Req-1.4.3 |
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
- |
-
- ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
- |
-
-
- | Req-1.4.3 |
- Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
- |
-
- Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
- |
-
-
- | Req-1.4.3 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
@@ -348,22 +348,6 @@
|
| Req-2.2 |
- Configure SSH to use System Crypto Policy |
-
- Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-SSH is supported by crypto policy, but the SSH configuration may be
-set up to ignore it.
-To check that Crypto Policies settings are configured correctly, ensure that
-the CRYPTO_POLICY variable is either commented or not set at all
-in the /etc/sysconfig/sshd.
- |
-
- Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
-and makes system configuration more fragmented.
- |
-
-
- | Req-2.2 |
Configure Libreswan to use System Crypto Policy |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -383,17 +367,41 @@
|
+ | Req-2.2 |
+ Configure SSH to use System Crypto Policy |
+
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+SSH is supported by crypto policy, but the SSH configuration may be
+set up to ignore it.
+To check that Crypto Policies settings are configured correctly, ensure that
+the CRYPTO_POLICY variable is either commented or not set at all
+in the /etc/sysconfig/sshd.
+ |
+
+ Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
+and makes system configuration more fragmented.
+ |
+
+
| Req-2.2.1 |
- Enable NX or XD Support in the BIOS |
+ Install PAE Kernel on Supported 32-bit x86 Systems |
- Reboot the system and enter the BIOS or Setup configuration menu.
-Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
-under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
-on AMD-based systems.
+ Systems that are using the 64-bit x86 kernel package
+do not need to install the kernel-PAE package because the 64-bit
+x86 kernel already includes this support. However, if the system is
+32-bit and also supports the PAE and NX features as
+determined in the previous section, the kernel-PAE package should
+be installed to enable XD or NX support.
+The kernel-PAE package can be installed with the following command:
+
+$ sudo yum install kernel-PAE
+The installation process should also have configured the
+bootloader to load the new kernel at boot. Verify this after reboot
+and modify /etc/default/grub if necessary.
|
- Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
-allow users to turn the feature on or off at will.
+ On 32-bit systems that support the XD or NX bit, the vendor-supplied
+PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,107 +44,177 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Events that Modify the System's Network Environment |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Creation Attempts to Files - open O_CREAT |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+ The audit system should collect unauthorized file accesses for
+all users and root. The open syscall can be used to create new files
+when O_CREAT flag is specified.
+
+The following auidt rules will asure that unsuccessful attempts to create a
+file via open syscall are collected.
+
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
|
- The network environment should not be modified by anything other
-than administrator action. Any change to network parameters should be
-audited.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record attempts to alter time through settimeofday |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Events that Modify the System's Mandatory Access Controls |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
-The -k option allows for the specification of a key in string form that can be
-used for better reporting capability through ausearch and aureport. Multiple
-system calls can be defined on the same line to save space if desired, but is
-not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ The system's mandatory access policy (SELinux) should not be
+arbitrarily changed by anything other than administrator action. All changes to
+MAC policy should be audited.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fchmodat |
+ Record Unsuccessful Delete Attempts to Files - unlink |
- The audit system should collect unsuccessful file permission change
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+ |
+
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
+ |
+
+
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Ownership Changes to Files - lchown |
+
+ The audit system should collect unsuccessful file ownership change
attempts for all users and root.
+
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
+-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
|
+ IA-2
AC-6(5)
IA-4(b) |
+ Verify Only Root Has UID 0 |
+
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+ |
+
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
+ |
+
+
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
+ Ensure auditd Collects File Deletion Events by User - unlink |
+
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -45,22 +45,18 @@
|
| BP28(R1) |
- Uninstall rsh Package |
+ Uninstall DHCP Server Package |
-
-The rsh package contains the client commands
+ If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
-for the rsh services
+The dhcp package can be removed with the following command:
+
+$ sudo yum erase dhcp
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
|
@@ -77,32 +73,32 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
+ BP28(R1) |
+ Uninstall talk-server Package |
- The telnet daemon should be uninstalled.
+ The talk-server package can be removed with the following command: $ sudo yum erase talk-server
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk-server package decreases the
+risk of the accidental (or intentional) activation of talk services.
|
| BP28(R1) |
- Uninstall rsh-server Package |
+ Remove NIS Client |
- The rsh-server package can be removed with the following command:
-
-$ sudo yum erase rsh-server
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
@@ -123,6 +119,38 @@
| BP28(R1) |
+ Uninstall talk Package |
+
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
+ |
+
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
+ |
+
+
+ | BP28(R1) |
+ Remove telnet Clients |
+
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 7.
+ |
+
+
+ | BP28(R1) |
Uninstall tftp-server Package |
The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
@@ -139,19 +167,22 @@
|
| BP28(R1) |
- Remove NIS Client |
+ Uninstall rsh Package |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+
+The rsh package contains the client commands
+
+for the rsh services
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
|
@@ -172,49 +203,47 @@
- | BP28(R1) |
- Uninstall talk-server Package |
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
- The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+ The telnet daemon should be uninstalled.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
|
| BP28(R1) |
- Uninstall talk Package |
+ Remove tftp Daemon |
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
+ Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+tftp is a client program that allows for connections to a tftp server.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+ It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
|
/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -70,6 +70,31 @@
| 1.1.1.2 |
+ Disable Mounting of squashfs |
+
+
+To configure the system to prevent the squashfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
+install squashfs /bin/true
+
+To configure the system to prevent the squashfs from being used,
+add the following line to file /etc/modprobe.d/squashfs.conf:
+blacklist squashfs
+
+This effectively prevents usage of this uncommon filesystem.
+
+The squashfs filesystem type is a compressed read-only Linux
+filesystem embedded in small footprint systems (similar to
+cramfs). A squashfs image can be used without having
+to first decompress the image.
+ |
+
+ Removing support for unneeded filesystem types reduces the local attack
+surface of the system.
+ |
+
+
+ | 1.1.1.2 |
Disable Mounting of freevxfs |
@@ -89,28 +114,23 @@
|
- | 1.1.1.2 |
- Disable Mounting of squashfs |
+ 1.1.1.3 |
+ Disable Mounting of jffs2 |
-To configure the system to prevent the squashfs
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
-install squashfs /bin/true
+To configure the system to prevent the jffs2
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
+install jffs2 /bin/true
-To configure the system to prevent the squashfs from being used,
-add the following line to file /etc/modprobe.d/squashfs.conf:
-blacklist squashfs
+To configure the system to prevent the jffs2 from being used,
+add the following line to file /etc/modprobe.d/jffs2.conf:
+blacklist jffs2
This effectively prevents usage of this uncommon filesystem.
-
-The squashfs filesystem type is a compressed read-only Linux
-filesystem embedded in small footprint systems (similar to
-cramfs). A squashfs image can be used without having
-to first decompress the image.
|
- Removing support for unneeded filesystem types reduces the local attack
-surface of the system.
+ Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
|
@@ -140,26 +160,6 @@
- | 1.1.1.3 |
- Disable Mounting of jffs2 |
-
-
-To configure the system to prevent the jffs2
-kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
-install jffs2 /bin/true
-
-To configure the system to prevent the jffs2 from being used,
-add the following line to file /etc/modprobe.d/jffs2.conf:
-blacklist jffs2
-
-This effectively prevents usage of this uncommon filesystem.
- |
-
- Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.
- |
-
-
| 1.1.1.4 |
Disable Mounting of hfs |
@@ -595,6 +595,23 @@
|
| 1.2.3 |
+ Ensure gpgcheck Enabled for All yum Package Repositories |
+
+ To ensure signature checking is not disabled for
+any repos, remove any lines from files in /etc/yum.repos.d of the form:
+gpgcheck=0
+ |
+
+ Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+ |
+
+
+ | 1.2.3 |
Ensure gpgcheck Enabled In Main yum Configuration |
The gpgcheck option controls whether
@@ -651,23 +668,6 @@
|
- | 1.2.3 |
- Ensure gpgcheck Enabled for All yum Package Repositories |
-
- To ensure signature checking is not disabled for
-any repos, remove any lines from files in /etc/yum.repos.d of the form:
-gpgcheck=0
- |
-
- Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
- |
-
-
| 1.2.5 |
Disable Red Hat Network Service (rhnsd) |
@@ -688,6 +688,18 @@
|
| 1.3.1 |
+ Install AIDE |
+
+ The aide package can be installed with the following command:
+
+$ sudo yum install aide
+ |
+
+ The AIDE package must be installed if it is to be available for integrity checking.
+ |
+
+
+ | 1.3.1 |
Build and Test AIDE Database |
Run the following command to generate a new database:
@@ -715,18 +727,6 @@
|
- | 1.3.1 |
- Install AIDE |
-
- The aide package can be installed with the following command:
-
-$ sudo yum install aide
- |
-
- The AIDE package must be installed if it is to be available for integrity checking.
- |
-
-
| 1.3.2 |
Configure Periodic Execution of AIDE |
@@ -757,7 +757,7 @@
|
| 1.4.1 |
- Set Boot Loader Password in grub2 |
+ Set the UEFI Boot Loader Password |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
@@ -779,7 +779,7 @@
|
| 1.4.1 |
- Set the UEFI Boot Loader Password |
/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,37 +44,45 @@
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Verify Only Root Has UID 0 |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
|
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ 3.1.1
3.1.5 |
+ Disable SSH Root Login |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
|
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
|
@@ -112,21 +120,6 @@
- 3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
- To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
- Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
3.1.1
3.1.6 |
Direct root Logins Not Allowed |
@@ -153,6 +146,40 @@
|
+ | 3.1.1 |
+ Disable GDM Guest Login |
+
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
+ | 3.1.1 |
+ Disable GDM Automatic Login |
+
+ The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the AutomaticLoginEnable to false in the
+[daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+AutomaticLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
3.1.1
3.1.5 |
Prevent Login to Accounts With Empty Password |
@@ -174,27 +201,6 @@
|
3.1.1
3.1.5 |
- Verify Only Root Has UID 0 |
-
- If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
- |
-
- An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
- |
-
-
- 3.1.1
3.1.5 |
Disable SSH Access via Empty Passwords |
Disallow SSH login with empty passwords.
@@ -220,82 +226,71 @@
|
3.1.1
3.1.5 |
- Disable SSH Root Login |
+ Restrict Serial Port Root Logins |
- The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
- | 3.1.1 |
- Disable GDM Automatic Login |
+ 3.1.1
3.4.5 |
+ Require Authentication for Emergency Systemd Target |
- The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,107 +44,177 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Events that Modify the System's Network Environment |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Creation Attempts to Files - open O_CREAT |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+ The audit system should collect unauthorized file accesses for
+all users and root. The open syscall can be used to create new files
+when O_CREAT flag is specified.
+
+The following auidt rules will asure that unsuccessful attempts to create a
+file via open syscall are collected.
+
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
|
- The network environment should not be modified by anything other
-than administrator action. Any change to network parameters should be
-audited.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record attempts to alter time through settimeofday |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Events that Modify the System's Mandatory Access Controls |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
-The -k option allows for the specification of a key in string form that can be
-used for better reporting capability through ausearch and aureport. Multiple
-system calls can be defined on the same line to save space if desired, but is
-not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ The system's mandatory access policy (SELinux) should not be
+arbitrarily changed by anything other than administrator action. All changes to
+MAC policy should be audited.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fchmodat |
+ Record Unsuccessful Delete Attempts to Files - unlink |
- The audit system should collect unsuccessful file permission change
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+ |
+
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
+ |
+
+
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Ownership Changes to Files - lchown |
+
+ The audit system should collect unsuccessful file ownership change
attempts for all users and root.
+
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
+-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
|
+ IA-2
AC-6(5)
IA-4(b) |
+ Verify Only Root Has UID 0 |
+
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+ |
+
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
+ |
+
+
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
+ Ensure auditd Collects File Deletion Events by User - unlink |
+
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
|
AGD_PRE.1
AGD_OPE.1 |
+ Install openscap-scanner Package |
+
+ The openscap-scanner package can be installed with the following command:
+
+$ sudo yum install openscap-scanner
+ |
+
+ openscap-scanner contains the oscap command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
+ |
+
+
+ AGD_PRE.1
AGD_OPE.1 |
Install scap-security-guide Package |
The scap-security-guide package can be installed with the following command:
@@ -64,27 +78,24 @@
|
- AGD_PRE.1
AGD_OPE.1 |
- Install openscap-scanner Package |
-
- The openscap-scanner package can be installed with the following command:
-
-$ sudo yum install openscap-scanner
- |
-
- openscap-scanner contains the oscap command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
- |
-
-
| FAU_GEN.1 |
- Ensure the audit Subsystem is Installed |
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon |
- The audit package should be installed.
+ To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument audit=1 to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that audit=1 is added as a kernel command line
+argument to newly installed kernels, add audit=1 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... audit=1 ..."
+Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
|
- The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although auditd takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
|
@@ -110,23 +121,25 @@
| FAU_GEN.1 |
- Enable Auditing for Processes Which Start Prior to the Audit Daemon |
+ Ensure the audit Subsystem is Installed |
- To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument audit=1 to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that audit=1 is added as a kernel command line
-argument to newly installed kernels, add audit=1 to the
-default Grub2 command line for Linux operating systems. Modify the line within
-/etc/default/grub as shown below:
-GRUB_CMDLINE_LINUX="... audit=1 ..."
-Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="audit=1"
+ The audit package should be installed.
|
- Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although auditd takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ |
+
+
+ | FAU_GEN.1 |
+ Include Local Events in Audit Logs |
+
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
+ |
+
+ If option local_events isn't set to yes only events from
+network will be aggregated.
|
@@ -166,235 +179,59 @@
- | FAU_GEN.1 |
- Include Local Events in Audit Logs |
-
- To configure Audit daemon to include local events in Audit logs, set
-local_events to yes in /etc/audit/auditd.conf.
-This is the default setting.
- |
-
- If option local_events isn't set to yes only events from
-network will be aggregated.
- |
-
-
| FAU_GEN.1.1.c |
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
+ Record Events that Modify User/Group Information via open syscall - /etc/shadow |
- At a minimum, the audit system should collect file permission
-changes for all users and root. If the auditd daemon is configured
+ The audit system should collect write events to /etc/shadow file for all users and root.
+If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
+startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following line to
+utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
- The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
+ Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.
|
| FAU_GEN.1.1.c |
- Record Unsuccessful Access Attempts to Files - truncate |
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow |
- At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the auditd daemon is configured
+ The audit system should collect write events to /etc/gshadow file for all users and root.
+If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-
-If the system is 64 bit then also add the following lines:
-
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
- |
-
- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
- |
-
-
- | FAU_GEN.1.1.c |
- Record Any Attempts to Run setsebool |
-
- At a minimum, the audit system should collect any execution attempt
-of the setsebool command for all users and root. If the auditd
-daemon is configured to use the augenrules program to read audit rules
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -117,6 +117,22 @@
|
| Req-1.4.1 |
+ Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
+
+ To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
+ |
+
+ A TCP SYN flood attack can cause a denial of service by filling a
+system's TCP connection table with connections in the SYN_RCVD state.
+Syncookies can be used to track a connection when a subsequent ACK is received,
+verifying the initiator is attempting a valid connection and is not a flood
+source. This feature is activated when a flood condition is detected, and
+enables the system to continue servicing valid connection requests.
+ |
+
+
+ | Req-1.4.1 |
Set configuration for IPv6 loopback traffic |
Configure the loopback interface to accept traffic.
@@ -147,22 +163,6 @@
|
| Req-1.4.1 |
- Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
-
- To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
- |
-
- A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.
- |
-
-
- | Req-1.4.1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
@@ -242,6 +242,22 @@
|
| Req-1.4.3 |
+ Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
+ |
+
+ ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
+ |
+
+
+ | Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -257,6 +273,21 @@
|
| Req-1.4.3 |
+ Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
+ |
+
+ Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
+ |
+
+
+ | Req-1.4.3 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
@@ -288,37 +319,6 @@
|
| Req-1.4.3 |
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
- |
-
- ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
- |
-
-
- | Req-1.4.3 |
- Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
- |
-
- Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
- |
-
-
- | Req-1.4.3 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
@@ -331,16 +331,24 @@
|
| Req-2.2.1 |
- Enable NX or XD Support in the BIOS |
+ Install PAE Kernel on Supported 32-bit x86 Systems |
- Reboot the system and enter the BIOS or Setup configuration menu.
-Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
-under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
-on AMD-based systems.
+ Systems that are using the 64-bit x86 kernel package
+do not need to install the kernel-PAE package because the 64-bit
+x86 kernel already includes this support. However, if the system is
+32-bit and also supports the PAE and NX features as
+determined in the previous section, the kernel-PAE package should
+be installed to enable XD or NX support.
+The kernel-PAE package can be installed with the following command:
+
+$ sudo yum install kernel-PAE
+The installation process should also have configured the
+bootloader to load the new kernel at boot. Verify this after reboot
+and modify /etc/default/grub if necessary.
|
- Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
-allow users to turn the feature on or off at will.
+ On 32-bit systems that support the XD or NX bit, the vendor-supplied
+PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
|
@@ -361,24 +369,27 @@
| Req-2.2.1 |
- Install PAE Kernel on Supported 32-bit x86 Systems |
+ Enable NX or XD Support in the BIOS |
- Systems that are using the 64-bit x86 kernel package
-do not need to install the kernel-PAE package because the 64-bit
-x86 kernel already includes this support. However, if the system is
-32-bit and also supports the PAE and NX features as
-determined in the previous section, the kernel-PAE package should
-be installed to enable XD or NX support.
-The kernel-PAE package can be installed with the following command:
-
-$ sudo yum install kernel-PAE
-The installation process should also have configured the
-bootloader to load the new kernel at boot. Verify this after reboot
-and modify /etc/default/grub if necessary.
+ Reboot the system and enter the BIOS or Setup configuration menu.
+Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
+under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
+on AMD-based systems.
|
- On 32-bit systems that support the XD or NX bit, the vendor-supplied
-PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
+ Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
+allow users to turn the feature on or off at will.
+ |
+
+
+ | Req-2.2.4 |
+ Uninstall vsftpd Package |
+
+ The vsftpd package can be removed with the following command: $ sudo yum erase vsftpd
+ |
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -45,22 +45,18 @@
| BP28(R1) |
- Uninstall rsh Package |
+ Uninstall DHCP Server Package |
-
-The rsh package contains the client commands
+ If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
-for the rsh services
+The dhcp-server package can be removed with the following command:
+
+$ sudo yum erase dhcp-server
|
- These legacy clients contain numerous security exposures and have
-been replaced with the more secure SSH package. Even if the server is removed,
-it is best to ensure the clients are also removed to prevent users from
-inadvertently attempting to use these commands and therefore exposing
-
-their credentials. Note that removing the rsh package removes
-
-the clients for rsh,rcp, and rlogin.
+ Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
|
@@ -77,32 +73,32 @@
- BP28(R1)
NT007(R03) |
- Uninstall the telnet server |
+ BP28(R1) |
+ Uninstall talk-server Package |
- The telnet daemon should be uninstalled.
+ The talk-server package can be removed with the following command: $ sudo yum erase talk-server
|
- telnet allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk-server package decreases the
+risk of the accidental (or intentional) activation of talk services.
|
| BP28(R1) |
- Uninstall rsh-server Package |
+ Remove NIS Client |
- The rsh-server package can be removed with the following command:
-
-$ sudo yum erase rsh-server
+ The Network Information Service (NIS), formerly known as Yellow Pages,
+is a client-server directory service protocol used to distribute system configuration
+files. The NIS client (ypbind) was used to bind a system to an NIS server
+and receive the distributed configuration files.
|
- The rsh-server service provides unencrypted remote access service which does not
-provide for the confidentiality and integrity of user passwords or the remote session and has very weak
-authentication. If a privileged user were to login using this service, the privileged user password
-could be compromised. The rsh-server package provides several obsolete and insecure
-network services. Removing it decreases the risk of those services' accidental (or intentional)
-activation.
+ The NIS service is inherently an insecure system that has been vulnerable
+to DOS attacks, buffer overflows and has poor authentication for querying
+NIS maps. NIS generally has been replaced by such protocols as Lightweight
+Directory Access Protocol (LDAP). It is recommended that the service be
+removed.
|
@@ -123,6 +119,38 @@
| BP28(R1) |
+ Uninstall talk Package |
+
+ The talk package contains the client program for the
+Internet talk protocol, which allows the user to chat with other users on
+different systems. Talk is a communication program which copies lines from one
+terminal to the terminal of another user.
+The talk package can be removed with the following command:
+
+$ sudo yum erase talk
+ |
+
+ The talk software presents a security risk as it uses unencrypted protocols
+for communications. Removing the talk package decreases the
+risk of the accidental (or intentional) activation of talk client program.
+ |
+
+
+ | BP28(R1) |
+ Remove telnet Clients |
+
+ The telnet client allows users to start connections to other systems via
+the telnet protocol.
+ |
+
+ The telnet protocol is insecure and unencrypted. The use
+of an unencrypted transmission medium could allow an unauthorized user
+to steal credentials. The ssh package provides an
+encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.
+ |
+
+
+ | BP28(R1) |
Uninstall tftp-server Package |
The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server
@@ -139,19 +167,22 @@
|
| BP28(R1) |
- Remove NIS Client |
+ Uninstall rsh Package |
- The Network Information Service (NIS), formerly known as Yellow Pages,
-is a client-server directory service protocol used to distribute system configuration
-files. The NIS client (ypbind) was used to bind a system to an NIS server
-and receive the distributed configuration files.
+
+The rsh package contains the client commands
+
+for the rsh services
|
- The NIS service is inherently an insecure system that has been vulnerable
-to DOS attacks, buffer overflows and has poor authentication for querying
-NIS maps. NIS generally has been replaced by such protocols as Lightweight
-Directory Access Protocol (LDAP). It is recommended that the service be
-removed.
+ These legacy clients contain numerous security exposures and have
+been replaced with the more secure SSH package. Even if the server is removed,
+it is best to ensure the clients are also removed to prevent users from
+inadvertently attempting to use these commands and therefore exposing
+
+their credentials. Note that removing the rsh package removes
+
+the clients for rsh,rcp, and rlogin.
|
@@ -172,49 +203,47 @@
- | BP28(R1) |
- Uninstall talk-server Package |
+ BP28(R1)
NT007(R03) |
+ Uninstall the telnet server |
- The talk-server package can be removed with the following command: $ sudo yum erase talk-server
+ The telnet daemon should be uninstalled.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk-server package decreases the
-risk of the accidental (or intentional) activation of talk services.
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
|
| BP28(R1) |
- Uninstall talk Package |
+ Remove tftp Daemon |
- The talk package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The talk package can be removed with the following command:
-
-$ sudo yum erase talk
+ Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
+typically used to automatically transfer configuration or boot files between systems.
+TFTP does not support authentication and can be easily hacked. The package
+tftp is a client program that allows for connections to a tftp server.
|
- The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the talk package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+ It is recommended that TFTP be removed, unless there is a specific need
+for TFTP (such as a boot server). In that case, use extreme caution when configuring
+the services.
|
/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -800,6 +800,18 @@
| 1.3.1 |
+ Install AIDE |
+
+ The aide package can be installed with the following command:
+
+$ sudo yum install aide
+ |
+
+ The AIDE package must be installed if it is to be available for integrity checking.
+ |
+
+
+ | 1.3.1 |
Build and Test AIDE Database |
Run the following command to generate a new database:
@@ -827,18 +839,6 @@
|
- | 1.3.1 |
- Install AIDE |
-
- The aide package can be installed with the following command:
-
-$ sudo yum install aide
- |
-
- The AIDE package must be installed if it is to be available for integrity checking.
- |
-
-
| 1.3.2 |
Configure Periodic Execution of AIDE |
@@ -869,7 +869,7 @@
|
| 1.4.1 |
- Set Boot Loader Password in grub2 |
+ Set the UEFI Boot Loader Password |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
@@ -891,7 +891,7 @@
|
| 1.4.1 |
- Set the UEFI Boot Loader Password |
+ Set Boot Loader Password in grub2 |
The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
@@ -913,17 +913,16 @@
|
| 1.4.2 |
- Verify /boot/grub2/grub.cfg User Ownership |
+ Verify /boot/efi/EFI/redhat/user.cfg Permissions |
- The file /boot/grub2/grub.cfg should
-be owned by the root user to prevent destruction
-or modification of the file.
+ File permissions for /boot/efi/EFI/redhat/user.cfg should be set to 600.
-To properly set the owner of /boot/grub2/grub.cfg, run the command:
-$ sudo chown root /boot/grub2/grub.cfg
+To properly set the permissions of /boot/efi/EFI/redhat/user.cfg, run the command:
+$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg
|
- Only root should be able to modify important boot parameters.
+ Proper permissions ensure that only the root user can read or modify important boot
+parameters.
|
@@ -944,18 +943,33 @@
| 1.4.2 |
- Verify /boot/efi/EFI/redhat/user.cfg Group Ownership |
+ Verify /boot/grub2/grub.cfg User Ownership |
- The file /boot/efi/EFI/redhat/user.cfg should be group-owned by the
-root group to prevent reading or modification of the file.
+ The file /boot/grub2/grub.cfg should
+be owned by the root user to prevent destruction
+or modification of the file.
-To properly set the group owner of /boot/efi/EFI/redhat/user.cfg, run the command:
-$ sudo chgrp root /boot/efi/EFI/redhat/user.cfg
+To properly set the owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chown root /boot/grub2/grub.cfg
|
- The root group is a highly-privileged group. Furthermore, the group-owner of this
-file should not have any access privileges anyway. Non-root users who read the boot parameters
-may be able to identify weaknesses in security upon boot and be able to exploit them.
+ Only root should be able to modify important boot parameters.
+ |
+
+
+ | 1.4.2 |
+ Verify /boot/grub2/user.cfg User Ownership |
+
+ The file /boot/grub2/user.cfg should be owned by the root
+user to prevent reading or modification of the file.
+
+To properly set the owner of /boot/grub2/user.cfg, run the command:
+$ sudo chown root /boot/grub2/user.cfg
+ |
+
+ Only root should be able to modify important boot parameters. Also, non-root users who read
+the boot parameters may be able to identify weaknesses in security upon boot and be able to
+exploit them.
|
@@ -974,15 +988,31 @@
| 1.4.2 |
- Verify /boot/grub2/user.cfg Permissions |
+ Verify /boot/efi/EFI/redhat/user.cfg Group Ownership |
- File permissions for /boot/grub2/user.cfg should be set to 600.
+ The file /boot/efi/EFI/redhat/user.cfg should be group-owned by the
+root group to prevent reading or modification of the file.
-To properly set the permissions of /boot/grub2/user.cfg, run the command:
-$ sudo chmod 600 /boot/grub2/user.cfg
+To properly set the group owner of /boot/efi/EFI/redhat/user.cfg, run the command:
+$ sudo chgrp root /boot/efi/EFI/redhat/user.cfg
|
- Proper permissions ensure that only the root user can read or modify important boot
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway. Non-root users who read the boot parameters
+may be able to identify weaknesses in security upon boot and be able to exploit them.
+ |
+
+
+ | 1.4.2 |
+ Verify /boot/grub2/grub.cfg Permissions |
+
+ File permissions for /boot/grub2/grub.cfg should be set to 600.
+
+To properly set the permissions of /boot/grub2/grub.cfg, run the command:
+$ sudo chmod 600 /boot/grub2/grub.cfg
+ |
+
+ Proper permissions ensure that only the root user can modify important boot
parameters.
|
@@ -1003,29 +1033,29 @@
| 1.4.2 |
- Verify /boot/efi/EFI/redhat/user.cfg User Ownership |
+ Verify /boot/grub2/grub.cfg Group Ownership |
- The file /boot/efi/EFI/redhat/user.cfg should be owned by the root
-user to prevent reading or modification of the file.
+ The file /boot/grub2/grub.cfg should
+be group-owned by the root group to prevent
+destruction or modification of the file.
-To properly set the owner of /boot/efi/EFI/redhat/user.cfg, run the command:
-$ sudo chown root /boot/efi/EFI/redhat/user.cfg
+To properly set the group owner of /boot/grub2/grub.cfg, run the command:
+$ sudo chgrp root /boot/grub2/grub.cfg
|
- Only root should be able to modify important boot parameters. Also, non-root users who read
-the boot parameters may be able to identify weaknesses in security upon boot and be able to
-exploit them.
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
|
| 1.4.2 |
- Verify /boot/grub2/user.cfg User Ownership |
+ Verify /boot/efi/EFI/redhat/user.cfg User Ownership |
- The file /boot/grub2/user.cfg should be owned by the root
+ The file /boot/efi/EFI/redhat/user.cfg should be owned by the root
user to prevent reading or modification of the file.
-To properly set the owner of /boot/grub2/user.cfg, run the command:
-$ sudo chown root /boot/grub2/user.cfg
+To properly set the owner of /boot/efi/EFI/redhat/user.cfg, run the command:
+$ sudo chown root /boot/efi/EFI/redhat/user.cfg
/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,37 +44,45 @@
|
- | 3.1.1 |
- Disable GDM Guest Login |
+ 3.1.1
3.1.5 |
+ Verify Only Root Has UID 0 |
- The GNOME Display Manager (GDM) can allow users to login without credentials
-which can be useful for public kiosk scenarios. Allowing users to login without credentials
-or "guest" account access has inherent security risks and should be disabled. To do disable
-timed logins or guest account access, set the TimedLoginEnable to false in
-the [daemon] section in /etc/gdm/custom.conf. For example:
-[daemon]
-TimedLoginEnable=false
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
|
- Failure to restrict system access to authenticated users negatively impacts operating
-system security.
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
|
- 3.1.1
3.4.5 |
- Require Authentication for Emergency Systemd Target |
+ 3.1.1
3.1.5 |
+ Disable SSH Root Login |
- Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-
-By default, Emergency mode is protected by requiring a password and is set
-in /usr/lib/systemd/system/emergency.service.
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
|
- This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
|
@@ -112,21 +120,6 @@
- 3.1.1
3.1.5 |
- Restrict Serial Port Root Logins |
-
- To restrict root logins on serial ports,
-ensure lines of this form do not appear in /etc/securetty:
-ttyS0
-ttyS1
- |
-
- Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
- |
-
-
3.1.1
3.1.6 |
Direct root Logins Not Allowed |
@@ -153,6 +146,40 @@
|
+ | 3.1.1 |
+ Disable GDM Guest Login |
+
+ The GNOME Display Manager (GDM) can allow users to login without credentials
+which can be useful for public kiosk scenarios. Allowing users to login without credentials
+or "guest" account access has inherent security risks and should be disabled. To do disable
+timed logins or guest account access, set the TimedLoginEnable to false in
+the [daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+TimedLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
+ | 3.1.1 |
+ Disable GDM Automatic Login |
+
+ The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the AutomaticLoginEnable to false in the
+[daemon] section in /etc/gdm/custom.conf. For example:
+[daemon]
+AutomaticLoginEnable=false
+ |
+
+ Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+ |
+
+
3.1.1
3.1.5 |
Prevent Login to Accounts With Empty Password |
@@ -174,27 +201,6 @@
|
3.1.1
3.1.5 |
- Verify Only Root Has UID 0 |
-
- If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.
- |
-
- An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.
- |
-
-
- 3.1.1
3.1.5 |
Disable SSH Access via Empty Passwords |
Disallow SSH login with empty passwords.
@@ -220,82 +226,71 @@
|
3.1.1
3.1.5 |
- Disable SSH Root Login |
+ Restrict Serial Port Root Logins |
- The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-/etc/ssh/sshd_config:
-
-PermitRootLogin no
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
|
- Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
|
- | 3.1.1 |
- Disable GDM Automatic Login |
+ 3.1.1
3.4.5 |
+ Require Authentication for Emergency Systemd Target |
- The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -44,111 +44,177 @@
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record Events that Modify the System's Network Environment |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Creation Attempts to Files - open O_CREAT |
- If the auditd daemon is configured to use the
-augenrules program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix .rules in the
-directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+ The audit system should collect unauthorized file accesses for
+all users and root. The open syscall can be used to create new files
+when O_CREAT flag is specified.
+
+The following auidt rules will asure that unsuccessful attempts to create a
+file via open syscall are collected.
+
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rules below to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
-utility to read audit rules during daemon startup, add the following lines to
-/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
-appropriate for your system:
--a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+utility to read audit rules during daemon startup, add the rules below to
+/etc/audit/audit.rules file.
+
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+
|
- The network environment should not be modified by anything other
-than administrator action. Any change to network parameters should be
-audited.
+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
|
- AU-2(d)
AU-12(c)
AC-6(9)
CM-6(a) |
- Record attempts to alter time through settimeofday |
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Events that Modify the System's Mandatory Access Controls |
If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
--a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
-If the system is 64 bit then also add the following line:
--a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
-The -k option allows for the specification of a key in string form that can be
-used for better reporting capability through ausearch and aureport. Multiple
-system calls can be defined on the same line to save space if desired, but is
-not required. See an example of multiple combined syscalls:
--a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+-w /etc/selinux/ -p wa -k MAC-policy
|
- Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.
+ The system's mandatory access policy (SELinux) should not be
+arbitrarily changed by anything other than administrator action. All changes to
+MAC policy should be audited.
|
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Unsuccessful Permission Changes to Files - fchmodat |
+ Record Unsuccessful Delete Attempts to Files - unlink |
- The audit system should collect unsuccessful file permission change
+
+The audit system should collect unsuccessful file deletion
+attempts for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file.
+-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+
+If the system is 64 bit then also add the following lines:
+
+-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+ |
+
+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
+these events could serve as evidence of potential system compromise.
+ |
+
+
+ AU-2(d)
AU-12(c)
CM-6(a) |
+ Record Unsuccessful Ownership Changes to Files - lchown |
+
+ The audit system should collect unsuccessful file ownership change
attempts for all users and root.
+
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
+
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
--a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
+-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+
If the system is 64 bit then also add the following lines:
--a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
+-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
|
- Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
|
+ IA-2
AC-6(5)
IA-4(b) |
+ Verify Only Root Has UID 0 |
+
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+ |
+
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
+ |
+
+
AU-2(d)
AU-12(c)
CM-6(a) |
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr |
+ Ensure auditd Collects File Deletion Events by User - unlink |
+
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2023-02-06 00:00:00.000000000 +0000
@@ -117,6 +117,22 @@
|
| Req-1.4.1 |
+ Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
+
+ To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
+ |
+
+ A TCP SYN flood attack can cause a denial of service by filling a
+system's TCP connection table with connections in the SYN_RCVD state.
+Syncookies can be used to track a connection when a subsequent ACK is received,
+verifying the initiator is attempting a valid connection and is not a flood
+source. This feature is activated when a flood condition is detected, and
+enables the system to continue servicing valid connection requests.
+ |
+
+
+ | Req-1.4.1 |
Set configuration for IPv6 loopback traffic |
Configure the loopback interface to accept traffic.
@@ -147,22 +163,6 @@
|
| Req-1.4.1 |
- Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces |
-
- To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1
- |
-
- A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.
- |
-
-
- | Req-1.4.1 |
Set Default ip6tables Policy for Incoming Packets |
To set the default policy to DROP (instead of ACCEPT) for
@@ -242,6 +242,22 @@
|
| Req-1.4.3 |
+ Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
+ |
+
+ ICMP redirect messages are used by routers to inform hosts that a more
+direct route exists for a particular destination. These messages modify the
+host's route table and are unauthenticated. An illicit ICMP redirect
+message could result in a man-in-the-middle attack.
+
This feature of the IPv4 protocol has few legitimate uses. It should
+be disabled unless absolutely required.
+ |
+
+
+ | Req-1.4.3 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -257,6 +273,21 @@
|
| Req-1.4.3 |
+ Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
+
+ To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
+ |
+
+ Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
+ |
+
+
+ | Req-1.4.3 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default |
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
@@ -288,37 +319,6 @@
|
| Req-1.4.3 |
- Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0
- |
-
- ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-
This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.
- |
-
-
- | Req-1.4.3 |
- Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces |
-
- To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1
- |
-
- Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
- |
-
-
- | Req-1.4.3 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces |
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
@@ -348,22 +348,6 @@
|
| Req-2.2 |
- Configure SSH to use System Crypto Policy |
-
- Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-SSH is supported by crypto policy, but the SSH configuration may be
-set up to ignore it.
-To check that Crypto Policies settings are configured correctly, ensure that
-the CRYPTO_POLICY variable is either commented or not set at all
-in the /etc/sysconfig/sshd.
- |
-
- Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
-and makes system configuration more fragmented.
- |
-
-
- | Req-2.2 |
Configure Libreswan to use System Crypto Policy |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -383,17 +367,41 @@
|
+ | Req-2.2 |
+ Configure SSH to use System Crypto Policy |
+
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+SSH is supported by crypto policy, but the SSH configuration may be
+set up to ignore it.
+To check that Crypto Policies settings are configured correctly, ensure that
+the CRYPTO_POLICY variable is either commented or not set at all
+in the /etc/sysconfig/sshd.
+ |
+
+ Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
+and makes system configuration more fragmented.
+ |
+
+
| Req-2.2.1 |
- Enable NX or XD Support in the BIOS |
+ Install PAE Kernel on Supported 32-bit x86 Systems |
- Reboot the system and enter the BIOS or Setup configuration menu.
-Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
-under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
-on AMD-based systems.
+ Systems that are using the 64-bit x86 kernel package
+do not need to install the kernel-PAE package because the 64-bit
+x86 kernel already includes this support. However, if the system is
+32-bit and also supports the PAE and NX features as
+determined in the previous section, the kernel-PAE package should
+be installed to enable XD or NX support.
+The kernel-PAE package can be installed with the following command:
+
+$ sudo yum install kernel-PAE
+The installation process should also have configured the
+bootloader to load the new kernel at boot. Verify this after reboot
+and modify /etc/default/grub if necessary.
|
- Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
-allow users to turn the feature on or off at will.
+ On 32-bit systems that support the XD or NX bit, the vendor-supplied
+PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.
/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 7
+1DISA STIG for Red Hat Enterprise Linux 7
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux V3R10.
/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-1DISA STIG for Red Hat Enterprise Linux 8
+1DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux 8 V1R9.
/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -192,7 +192,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -245,78 +245,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -325,63 +309,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -402,39 +372,53 @@
+
+
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -194,7 +194,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -247,78 +247,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -327,63 +311,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -404,39 +374,53 @@
+
+
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,78 +51,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -131,63 +115,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -208,39 +178,53 @@
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -232,7 +232,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -285,54 +285,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
+
-
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -341,41 +332,15 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
+
@@ -384,68 +349,54 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -234,7 +234,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -287,54 +287,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
+
-
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -343,41 +334,15 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
+
@@ -386,68 +351,54 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -51,54 +51,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
+
-
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -107,41 +98,15 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
+
@@ -150,68 +115,54 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -184,7 +184,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -237,61 +237,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -299,45 +268,31 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
-
+
+
@@ -346,54 +301,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -186,7 +186,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -239,61 +239,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -301,45 +270,31 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
-
+
+
@@ -348,54 +303,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -51,61 +51,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -113,45 +82,31 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
-
+
+
@@ -160,54 +115,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -160,7 +160,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -203,25 +203,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
@@ -229,25 +229,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
@@ -256,38 +245,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -295,29 +265,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -338,19 +308,38 @@
+
+
+
+
+
-
+
-
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -160,7 +160,7 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -203,25 +203,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
@@ -229,25 +229,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
@@ -256,38 +245,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -295,29 +265,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -338,19 +308,38 @@
+
+
+
+
+
-
+
-
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,442 +7,436 @@
2023-02-06T00:00:00
-
- Record Successful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
-
-
-
- Ensure All Groups on the System Have Unique Group Names
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-group_unique_name_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Record Successful Creation Attempts to Files - open O_CREAT
+
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
- ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-grub2_audit_argument_action:testaction:1
-
- Install rear Package
+
+ Configure SSSD to Expire SSH Known Hosts
- ocil:ssg-package_rear_installed_action:testaction:1
+ ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure that /etc/at.deny does not exist
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-file_at_deny_not_exist_action:testaction:1
-
- Add nosuid Option to /var/log/audit
+
+ Enable poison of pages after freeing
- ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
+ ocil:ssg-kernel_config_page_poisoning_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Disable loading and unloading of kernel modules
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
-
- Encrypt Partitions
+
+ Enable module signature verification
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Install openscap-scanner Package
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-package_openscap-scanner_installed_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Record Events that Modify User/Group Information via open syscall - /etc/shadow
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Verify /boot/grub2/user.cfg Permissions
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1
-
- Enable syslog-ng Service
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Ensure SMEP is not disabled during boot
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
-
- Verify permissions on Message of the Day Banner
+
+ Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
- ocil:ssg-file_permissions_etc_motd_action:testaction:1
+ ocil:ssg-network_nmcli_permissions_action:testaction:1
-
- Record attempts to alter time through settimeofday
+
+ Modify the System Login Banner
- ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+ ocil:ssg-banner_etc_issue_action:testaction:1
-
- Record Unsuccessful Permission Changes to Files - fchmodat
+
+ Enable authselect
- ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1
+ ocil:ssg-enable_authselect_action:testaction:1
-
- Disable GDM Guest Login
+
+ Disable anacron Service
- ocil:ssg-gnome_gdm_disable_guest_login_action:testaction:1
+ ocil:ssg-disable_anacron_action:testaction:1
-
- Uninstall krb5-workstation Package
+
+ Set hostname as computer node name in audit logs
- ocil:ssg-package_krb5-workstation_removed_action:testaction:1
+ ocil:ssg-auditd_name_format_action:testaction:1
-
- Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
+
+ Enable dnf-automatic Timer
- ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1
+ ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1
-
- Enable TCP/IP syncookie support
+
+ Verify Group Ownership of System Login Banner for Remote Connections
- ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1
-
- Install vim Package
+
+ Enable the pcscd Service
- ocil:ssg-package_vim_installed_action:testaction:1
+ ocil:ssg-service_pcscd_enabled_action:testaction:1
-
- Enable GSSAPI Authentication
+
+ Enable page allocator poisoning
- ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+ ocil:ssg-grub2_page_poison_argument_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Fedora
This guide presents a catalog of security-relevant
configuration settings for Fedora. It is a rendering of
@@ -43,25 +43,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
-
-
-
+
+
+
@@ -69,25 +69,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
@@ -96,38 +85,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -135,29 +105,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -178,19 +148,38 @@
+
+
+
+
+
-
+
-
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -156,7 +156,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -199,67 +199,51 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
-
+
@@ -268,38 +252,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -307,29 +272,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -350,24 +315,43 @@
+
+
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -158,7 +158,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -201,67 +201,51 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
-
+
@@ -270,38 +254,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -309,29 +274,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -352,24 +317,43 @@
+
+
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,418 +7,412 @@
2023-02-06T00:00:00
-
- Record Successful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
-
-
-
- Verify Permissions on /etc/hosts.deny
+
+ Disable SCTP Support
- ocil:ssg-file_permissions_etc_hosts_deny_action:testaction:1
+ ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
-
- Configure Accepting Router Advertisements on All IPv6 Interfaces
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Package uuidd Installed
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-package_uuidd_installed_action:testaction:1
-
- Record Successful Creation Attempts to Files - open O_CREAT
+
+ Disable the xdm_exec_bootloader SELinux Boolean
- ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1
-
- Uninstall rsh Package
+
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
- ocil:ssg-package_rsh_removed_action:testaction:1
+ ocil:ssg-grub2_audit_argument_action:testaction:1
-
- Install rear Package
+
+ Configure SSSD to Expire SSH Known Hosts
- ocil:ssg-package_rear_installed_action:testaction:1
+ ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Disable loading and unloading of kernel modules
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
-
- Add nosuid Option to /var/log/audit
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - kmod
- ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1
-
- Encrypt Partitions
+
+ Disable the abrt_upload_watch_anon_write SELinux Boolean
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Enable module signature verification
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Install openscap-scanner Package
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-package_openscap-scanner_installed_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Record Events that Modify User/Group Information via open syscall - /etc/shadow
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1
-
- Enable syslog-ng Service
+
+ Verify /boot/efi/EFI/redhat/user.cfg Permissions
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1
-
- Disable the daemons_use_tcp_wrapper SELinux Boolean
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Ensure SMEP is not disabled during boot
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
-
- Verify permissions on Message of the Day Banner
+
+ Modify the System Login Banner
- ocil:ssg-file_permissions_etc_motd_action:testaction:1
+ ocil:ssg-banner_etc_issue_action:testaction:1
-
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+
+ Install the SSSD Package
- ocil:ssg-sudo_add_ignore_dot_action:testaction:1
+ ocil:ssg-package_sssd_installed_action:testaction:1
-
- Record attempts to alter time through settimeofday
+
+ Configure the polyinstantiation_enabled SELinux Boolean
- ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+ ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1
-
- Disable the mmap_low_allowed SELinux Boolean
+
+ Set hostname as computer node name in audit logs
- ocil:ssg-sebool_mmap_low_allowed_action:testaction:1
+ ocil:ssg-auditd_name_format_action:testaction:1
-
- Record Unsuccessful Permission Changes to Files - fchmodat
+
+ Verify Group Ownership of System Login Banner for Remote Connections
- ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 7
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 7. It is a rendering of
@@ -43,67 +43,51 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
-
+
@@ -112,38 +96,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -151,29 +116,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -194,24 +159,43 @@
+
+
+
+
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -164,7 +164,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -207,52 +207,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -260,25 +238,25 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
@@ -287,43 +265,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -331,29 +285,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -374,24 +328,54 @@
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -166,7 +166,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -209,52 +209,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -262,25 +240,25 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
@@ -289,43 +267,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -333,29 +287,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -376,24 +330,54 @@
/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,568 +7,544 @@
2023-02-06T00:00:00
-
- Record Successful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
-
-
-
- Configure Accepting Router Advertisements on All IPv6 Interfaces
-
- ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
-
-
-
- Verify Group Who Owns lastlog Command
-
- ocil:ssg-file_groupownership_lastlog_action:testaction:1
-
-
-
- Enable the login_console_enabled SELinux Boolean
-
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
-
-
-
- Record Successful Creation Attempts to Files - open O_CREAT
+
+ Disable SCTP Support
- ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
-
- Uninstall rsh Package
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-package_rsh_removed_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Install rear Package
+
+ Disable the xdm_exec_bootloader SELinux Boolean
- ocil:ssg-package_rear_installed_action:testaction:1
+ ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-grub2_audit_argument_action:testaction:1
-
- Add nosuid Option to /var/log/audit
+
+ Configure SSSD to Expire SSH Known Hosts
- ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
+ ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Disable loading and unloading of kernel modules
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
-
- Encrypt Partitions
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - kmod
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Disable the abrt_upload_watch_anon_write SELinux Boolean
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Enable module signature verification
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Enable syslog-ng Service
+
+ Install openscap-scanner Package
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-package_openscap-scanner_installed_action:testaction:1
-
- Disable the daemons_use_tcp_wrapper SELinux Boolean
+
+ Record Events that Modify User/Group Information via open syscall - /etc/shadow
- ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1
+ ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Verify /boot/efi/EFI/redhat/user.cfg Permissions
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1
-
- Verify permissions on Message of the Day Banner
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-file_permissions_etc_motd_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot
+
+ Ensure SMEP is not disabled during boot
- ocil:ssg-sudo_add_ignore_dot_action:testaction:1
+ ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
-
- Configure a Sufficiently Large Partition for Audit Logs
+
+ Modify the System Login Banner
- ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1
+ ocil:ssg-banner_etc_issue_action:testaction:1
-
- Audit Tools Must Have a Mode of 0755 or Less Permissive
+
+ Install the SSSD Package
- ocil:ssg-file_audit_tools_permissions_action:testaction:1
+ ocil:ssg-package_sssd_installed_action:testaction:1
-
- Record attempts to alter time through settimeofday
+
+ Enable authselect
- ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+ ocil:ssg-enable_authselect_action:testaction:1
-
- Disable the mmap_low_allowed SELinux Boolean
+
+ Configure the polyinstantiation_enabled SELinux Boolean
- ocil:ssg-sebool_mmap_low_allowed_action:testaction:1
+ ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 8
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 8. It is a rendering of
@@ -43,52 +43,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -96,25 +74,25 @@
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
-
+
@@ -123,43 +101,19 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -167,29 +121,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -210,24 +164,54 @@
/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -144,7 +144,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -187,30 +187,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
@@ -218,25 +213,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
@@ -250,19 +234,14 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -270,29 +249,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -313,19 +292,29 @@
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -333,9 +322,20 @@
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -146,7 +146,7 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -189,30 +189,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
@@ -220,25 +215,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
@@ -252,19 +236,14 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -272,29 +251,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -315,19 +294,29 @@
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -335,9 +324,20 @@
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,934 +7,928 @@
2023-02-06T00:00:00
-
- Configure Accepting Router Advertisements on All IPv6 Interfaces
-
- ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
-
-
-
- Uninstall rsh Package
+
+ Disable SCTP Support
- ocil:ssg-package_rsh_removed_action:testaction:1
+ ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
-
- Install rear Package
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-package_rear_installed_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-grub2_audit_argument_action:testaction:1
-
- Add nosuid Option to /var/log/audit
+
+ Disable loading and unloading of kernel modules
- ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
+ ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - kmod
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
-
- Encrypt Partitions
+
+ Enable module signature verification
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Install openscap-scanner Package
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-package_openscap-scanner_installed_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Ensure SMEP is not disabled during boot
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
-
- Enable syslog-ng Service
+
+ Modify the System Login Banner
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-banner_etc_issue_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Enable authselect
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-enable_authselect_action:testaction:1
-
- Configure a Sufficiently Large Partition for Audit Logs
+
+ Configure the polyinstantiation_enabled SELinux Boolean
- ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1
+ ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1
-
- Audit Tools Must Have a Mode of 0755 or Less Permissive
+
+ Set hostname as computer node name in audit logs
- ocil:ssg-file_audit_tools_permissions_action:testaction:1
+ ocil:ssg-auditd_name_format_action:testaction:1
-
- Record attempts to alter time through settimeofday
+
+ Enable dnf-automatic Timer
- ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+ ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1
-
- Uninstall krb5-workstation Package
+
+ Enable the pcscd Service
- ocil:ssg-package_krb5-workstation_removed_action:testaction:1
+ ocil:ssg-service_pcscd_enabled_action:testaction:1
-
- Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
+
+ Enable page allocator poisoning
- ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1
+ ocil:ssg-grub2_page_poison_argument_action:testaction:1
-
- Enable TCP/IP syncookie support
+
+ Configure SSSD to Expire Offline Credentials
- ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+ ocil:ssg-sssd_offline_cred_expiration_action:testaction:1
-
- Add nodev Option to /home
+
+ Install the Host Intrusion Prevention System (HIPS) Module
- ocil:ssg-mount_option_home_nodev_action:testaction:1
+ ocil:ssg-package_MFEhiplsm_installed_action:testaction:1
-
- Enable GSSAPI Authentication
+
+ Verify User Who Owns Backup gshadow File
- ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+ ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
-
- Enable rsyslog Service
+
+ Ensure rsyslog is Installed
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+
+ Configure Kernel Parameter for Accepting Secure Redirects By Default
- ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Oracle Linux 9
This guide presents a catalog of security-relevant
configuration settings for Oracle Linux 9. It is a rendering of
@@ -43,30 +43,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
@@ -74,25 +69,14 @@
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
@@ -106,19 +90,14 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
@@ -126,29 +105,29 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -169,19 +148,29 @@
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -189,9 +178,20 @@
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -132,7 +132,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -175,31 +175,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -207,25 +201,20 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
+
@@ -239,63 +228,68 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -303,14 +297,20 @@
-
+
-
+
-
+
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -132,7 +132,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -175,31 +175,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -207,25 +201,20 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
+
@@ -239,63 +228,68 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -303,14 +297,20 @@
-
+
-
+
-
+
+
+
+
+
+
+
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,3615 +7,3615 @@
2023-02-06T00:00:00
-
- Configure Accepting Router Advertisements on All IPv6 Interfaces
+
+ Disable SCTP Support
- ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
+ ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Add nosuid Option to /var/log/audit
+
+ Enable module signature verification
- ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Record Events that Modify User/Group Information via open syscall - /etc/shadow
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1
-
- Encrypt Partitions
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Ensure SMEP is not disabled during boot
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-network_nmcli_permissions_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Modify the System Login Banner
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-banner_etc_issue_action:testaction:1
-
- Enable syslog-ng Service
+
+ Set hostname as computer node name in audit logs
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-auditd_name_format_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Verify Group Ownership of System Login Banner for Remote Connections
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1
-
- Record attempts to alter time through settimeofday
+
+ Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow
- ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+ ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_action:testaction:1
-
- Record Unsuccessful Permission Changes to Files - fchmodat
+
+ Record Unsuccessful Creation Attempts to Files - open O_CREAT
- ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1
+ ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1
-
- Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
+
+ Configure SSSD to Expire Offline Credentials
- ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1
+ ocil:ssg-sssd_offline_cred_expiration_action:testaction:1
-
- Enable TCP/IP syncookie support
+
+ Install the Host Intrusion Prevention System (HIPS) Module
- ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+ ocil:ssg-package_MFEhiplsm_installed_action:testaction:1
-
- Add nodev Option to /home
+
+ Verify User Who Owns Backup gshadow File
- ocil:ssg-mount_option_home_nodev_action:testaction:1
+ ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
-
- Enable GSSAPI Authentication
+
+ Ensure rsyslog is Installed
- ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
-
- Enable rsyslog Service
+
+ Configure Kernel Parameter for Accepting Secure Redirects By Default
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+
+ Enable poison without sanity check
- ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
+ ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1
-
- Set Password Warning Age
+
+ Ensure SELinux State is Enforcing
- ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1
+ ocil:ssg-selinux_state_action:testaction:1
-
- Record Unsuccessful Access Attempts to Files - truncate
+
+ Verify Permissions on passwd File
- ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1
+ ocil:ssg-file_permissions_etc_passwd_action:testaction:1
-
- Make the auditd Configuration Immutable
+
+ Record Events that Modify the System's Mandatory Access Controls
- ocil:ssg-audit_rules_immutable_action:testaction:1
+ ocil:ssg-audit_rules_mac_modification_action:testaction:1
-
- Configure auditing of unsuccessful ownership changes
+
+ Configure audispd's Plugin disk_full_action When Disk Is Full
/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -43,31 +43,25 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -75,25 +69,20 @@
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
-
+
+
@@ -107,63 +96,68 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
+
+
+
+
+
@@ -171,14 +165,20 @@
-
+
-
+
-
+
+
+
+
+
+
+
-
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -188,7 +188,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -231,78 +231,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -311,63 +295,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -388,39 +358,53 @@
+
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -190,7 +190,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -233,78 +233,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -313,63 +297,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -390,39 +360,53 @@
+
+
/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,1246 +7,1240 @@
2023-02-06T00:00:00
-
- Record Successful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
-
-
-
- Verify Permissions on /etc/hosts.deny
+
+ Disable SCTP Support
- ocil:ssg-file_permissions_etc_hosts_deny_action:testaction:1
+ ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
-
- Configure Accepting Router Advertisements on All IPv6 Interfaces
+
+ Disable the condor_tcp_network_connect SELinux Boolean
- ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
+ ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1
-
- Enable HTTPD LogLevel
+
+ Disable the mplayer_execstack SELinux Boolean
- ocil:ssg-httpd_enable_loglevel_action:testaction:1
+ ocil:ssg-sebool_mplayer_execstack_action:testaction:1
-
- Ensure All Groups on the System Have Unique Group Names
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-group_unique_name_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Disable the xdm_exec_bootloader SELinux Boolean
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1
-
- Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/
+
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
- ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1
+ ocil:ssg-grub2_audit_argument_action:testaction:1
-
- Record Successful Creation Attempts to Files - open O_CREAT
+
+ Configure SSSD to Expire SSH Known Hosts
- ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
-
- Disable the httpd_dontaudit_search_dirs SELinux Boolean
+
+ Ensure that /etc/at.deny does not exist
- ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1
+ ocil:ssg-file_at_deny_not_exist_action:testaction:1
-
- Disable the gluster_export_all_ro SELinux Boolean
+
+ Disable loading and unloading of kernel modules
- ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1
+ ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
-
- Uninstall rsh Package
+
+ Install the docker Package
- ocil:ssg-package_rsh_removed_action:testaction:1
+ ocil:ssg-package_docker_installed_action:testaction:1
-
- Disable the openvpn_enable_homedirs SELinux Boolean
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - kmod
- ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
-
- Install rear Package
+
+ All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
- ocil:ssg-package_rear_installed_action:testaction:1
+ ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Disable the abrt_upload_watch_anon_write SELinux Boolean
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1
-
- Add nosuid Option to /var/log/audit
+
+ Disable the dbadm_read_user_files SELinux Boolean
- ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
+ ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Disable the cluster_manage_all_files SELinux Boolean
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1
-
- Encrypt Partitions
+
+ Scan All Uploaded Content for Malicious Software
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-httpd_antivirus_scan_uploads_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Enable module signature verification
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Uninstall CUPS Package
+
+ The robots.txt Files Must Not Exist
- ocil:ssg-package_cups_removed_action:testaction:1
+ ocil:ssg-httpd_remove_robots_file_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Install openscap-scanner Package
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-package_openscap-scanner_installed_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Record Events that Modify User/Group Information via open syscall - /etc/shadow
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1
-
- Enable syslog-ng Service
+
+ Verify /boot/efi/EFI/redhat/user.cfg Permissions
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -43,78 +43,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -123,63 +107,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -200,39 +170,53 @@
+
+
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -228,7 +228,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -271,54 +271,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
+
-
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -327,41 +318,15 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
+
@@ -370,68 +335,54 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -230,7 +230,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -273,54 +273,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
+
-
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -329,41 +320,15 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
+
@@ -372,68 +337,54 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,796 +7,784 @@
2023-02-06T00:00:00
-
- Record Successful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
-
-
-
- Configure Accepting Router Advertisements on All IPv6 Interfaces
-
- ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
-
-
-
- Enable HTTPD LogLevel
+
+ Disable SCTP Support
- ocil:ssg-httpd_enable_loglevel_action:testaction:1
+ ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
-
- Ensure All Groups on the System Have Unique Group Names
+
+ Disable the condor_tcp_network_connect SELinux Boolean
- ocil:ssg-group_unique_name_action:testaction:1
+ ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Disable the mplayer_execstack SELinux Boolean
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-sebool_mplayer_execstack_action:testaction:1
-
- Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Record Successful Creation Attempts to Files - open O_CREAT
+
+ Disable the xdm_exec_bootloader SELinux Boolean
- ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1
-
- Disable the httpd_dontaudit_search_dirs SELinux Boolean
+
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
- ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1
+ ocil:ssg-grub2_audit_argument_action:testaction:1
-
- Disable the gluster_export_all_ro SELinux Boolean
+
+ Configure SSSD to Expire SSH Known Hosts
- ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1
+ ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
-
- Uninstall rsh Package
+
+ Ensure that /etc/at.deny does not exist
- ocil:ssg-package_rsh_removed_action:testaction:1
+ ocil:ssg-file_at_deny_not_exist_action:testaction:1
-
- Disable the openvpn_enable_homedirs SELinux Boolean
+
+ Enable poison of pages after freeing
- ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1
+ ocil:ssg-kernel_config_page_poisoning_action:testaction:1
-
- Install rear Package
+
+ Disable loading and unloading of kernel modules
- ocil:ssg-package_rear_installed_action:testaction:1
+ ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - kmod
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
-
- Add nosuid Option to /var/log/audit
+
+ All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
- ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
+ ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Disable the abrt_upload_watch_anon_write SELinux Boolean
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1
-
- Encrypt Partitions
+
+ Disable the dbadm_read_user_files SELinux Boolean
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable the cluster_manage_all_files SELinux Boolean
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1
-
- Uninstall CUPS Package
+
+ Verify Group Who Owns /etc/at.allow file
- ocil:ssg-package_cups_removed_action:testaction:1
+ ocil:ssg-file_groupowner_at_allow_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Scan All Uploaded Content for Malicious Software
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-httpd_antivirus_scan_uploads_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Enable module signature verification
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Enable syslog-ng Service
+
+ The robots.txt Files Must Not Exist
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-httpd_remove_robots_file_action:testaction:1
-
- Disable the daemons_use_tcp_wrapper SELinux Boolean
+
+ Install openscap-scanner Package
- ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1
+ ocil:ssg-package_openscap-scanner_installed_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -43,54 +43,45 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
+
-
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -99,41 +90,15 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
-
+
+
@@ -142,68 +107,54 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -180,7 +180,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -223,61 +223,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -285,45 +254,31 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
-
+
+
@@ -332,54 +287,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -182,7 +182,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -225,61 +225,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -287,45 +256,31 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
-
+
+
@@ -334,54 +289,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,712 +7,724 @@
2023-02-06T00:00:00
-
- Record Successful Access Attempts to Files - ftruncate
+
+ Disable SCTP Support
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
+ ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
-
- Configure Accepting Router Advertisements on All IPv6 Interfaces
+
+ Disable the condor_tcp_network_connect SELinux Boolean
- ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
+ ocil:ssg-sebool_condor_tcp_network_connect_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Disable the mplayer_execstack SELinux Boolean
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-sebool_mplayer_execstack_action:testaction:1
-
- Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/
+
+ Configure auditing of unsuccessful file accesses (AArch64)
- ocil:ssg-file_permissions_httpd_server_modules_files_action:testaction:1
+ ocil:ssg-audit_access_failed_aarch64_action:testaction:1
-
- Record Successful Creation Attempts to Files - open O_CREAT
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Disable the httpd_dontaudit_search_dirs SELinux Boolean
+
+ Disable the xdm_exec_bootloader SELinux Boolean
- ocil:ssg-sebool_httpd_dontaudit_search_dirs_action:testaction:1
+ ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1
-
- Disable the gluster_export_all_ro SELinux Boolean
+
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
- ocil:ssg-sebool_gluster_export_all_ro_action:testaction:1
+ ocil:ssg-grub2_audit_argument_action:testaction:1
-
- Uninstall rsh Package
+
+ Ensure that /etc/at.deny does not exist
- ocil:ssg-package_rsh_removed_action:testaction:1
+ ocil:ssg-file_at_deny_not_exist_action:testaction:1
-
- Disable the openvpn_enable_homedirs SELinux Boolean
+
+ Enable poison of pages after freeing
- ocil:ssg-sebool_openvpn_enable_homedirs_action:testaction:1
+ ocil:ssg-kernel_config_page_poisoning_action:testaction:1
-
- Install rear Package
+
+ Disable loading and unloading of kernel modules
- ocil:ssg-package_rear_installed_action:testaction:1
+ ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - kmod
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1
-
- Add nosuid Option to /var/log/audit
+
+ Disable the dbadm_read_user_files SELinux Boolean
- ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1
+ ocil:ssg-sebool_dbadm_read_user_files_action:testaction:1
-
- Perform general configuration of Audit for OSPP (ppc64le)
+
+ Disable the cluster_manage_all_files SELinux Boolean
- ocil:ssg-audit_ospp_general_ppc64le_action:testaction:1
+ ocil:ssg-sebool_cluster_manage_all_files_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Verify Group Who Owns /etc/at.allow file
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-file_groupowner_at_allow_action:testaction:1
-
- Encrypt Partitions
+
+ Enable module signature verification
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Configure auditing of successful file modifications (AArch64)
+
+ Install openscap-scanner Package
- ocil:ssg-audit_modify_success_aarch64_action:testaction:1
+ ocil:ssg-package_openscap-scanner_installed_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Record Events that Modify User/Group Information via open syscall - /etc/shadow
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1
-
- Uninstall CUPS Package
+
+ Verify /boot/grub2/user.cfg Permissions
- ocil:ssg-package_cups_removed_action:testaction:1
+ ocil:ssg-file_permissions_efi_user_cfg_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Ensure SMEP is not disabled during boot
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
-
- Enable syslog-ng Service
+
+ Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-network_nmcli_permissions_action:testaction:1
-
- Disable the daemons_use_tcp_wrapper SELinux Boolean
+
+ Modify the System Login Banner
/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 9
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -43,61 +43,30 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
+
@@ -105,45 +74,31 @@
-
-
-
-
-
-
+
-
+
-
+
-
-
-
-
-
-
+
-
+
-
+
+
-
+
-
-
-
-
-
-
-
+
+
@@ -152,54 +107,64 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -171,45 +171,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -217,53 +211,49 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -271,19 +261,23 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
@@ -291,14 +285,20 @@
-
+
-
+
-
+
+
+
+
+
+
+
-
+
@@ -2005,6 +2005,16 @@
The hashes of important files like system executables should match the
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -128,7 +128,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -171,45 +171,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -217,53 +211,49 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -271,19 +261,23 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
@@ -291,14 +285,20 @@
-
+
-
+
-
+
+
+
+
+
+
+
-
+
@@ -2005,6 +2005,16 @@
The hashes of important files like system executables should match the
/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 2023-02-06 00:00:00.000000000 +0000
@@ -7,2710 +7,2704 @@
2023-02-06T00:00:00
-
- Record Successful Access Attempts to Files - ftruncate
-
- ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1
-
-
-
- Configure Accepting Router Advertisements on All IPv6 Interfaces
+
+ Disable SCTP Support
- ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1
+ ocil:ssg-kernel_module_sctp_disabled_action:testaction:1
-
- Enable the login_console_enabled SELinux Boolean
+
+ Ensure the default plugins for the audit dispatcher are Installed
- ocil:ssg-sebool_login_console_enabled_action:testaction:1
+ ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1
-
- Uninstall rsh Package
+
+ Disable the xdm_exec_bootloader SELinux Boolean
- ocil:ssg-package_rsh_removed_action:testaction:1
+ ocil:ssg-sebool_xdm_exec_bootloader_action:testaction:1
-
- Verify User Who Owns /var/log/messages File
+
+ Enable Auditing for Processes Which Start Prior to the Audit Daemon
- ocil:ssg-file_owner_var_log_messages_action:testaction:1
+ ocil:ssg-grub2_audit_argument_action:testaction:1
-
- Verify that System Executables Have Root Ownership
+
+ Configure SSSD to Expire SSH Known Hosts
- ocil:ssg-file_ownership_binary_dirs_action:testaction:1
+ ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1
-
- Encrypt Partitions
+
+ All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
- ocil:ssg-encrypt_partitions_action:testaction:1
+ ocil:ssg-accounts_users_home_files_groupownership_action:testaction:1
-
- Randomize the address of the kernel image (KASLR)
+
+ Disable the abrt_upload_watch_anon_write SELinux Boolean
- ocil:ssg-kernel_config_randomize_base_action:testaction:1
+ ocil:ssg-sebool_abrt_upload_watch_anon_write_action:testaction:1
-
- Record Events that Modify the System's Network Environment
+
+ Enable module signature verification
- ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1
+ ocil:ssg-kernel_config_module_sig_action:testaction:1
-
- Enforce Spectre v2 mitigation
+
+ Install openscap-scanner Package
- ocil:ssg-grub2_spectre_v2_argument_action:testaction:1
+ ocil:ssg-package_openscap-scanner_installed_action:testaction:1
-
- Enable syslog-ng Service
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - chage
- ocil:ssg-service_syslogng_enabled_action:testaction:1
+ ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1
-
- Disable the daemons_use_tcp_wrapper SELinux Boolean
+
+ Ensure SMEP is not disabled during boot
- ocil:ssg-sebool_daemons_use_tcp_wrapper_action:testaction:1
+ ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1
-
- System Audit Logs Must Be Owned By Root
+
+ Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
- ocil:ssg-file_ownership_var_log_audit_action:testaction:1
+ ocil:ssg-network_nmcli_permissions_action:testaction:1
-
- Verify permissions on Message of the Day Banner
+
+ Modify the System Login Banner
- ocil:ssg-file_permissions_etc_motd_action:testaction:1
+ ocil:ssg-banner_etc_issue_action:testaction:1
-
- Record attempts to alter time through settimeofday
+
+ Configure the polyinstantiation_enabled SELinux Boolean
- ocil:ssg-audit_rules_time_settimeofday_action:testaction:1
+ ocil:ssg-sebool_polyinstantiation_enabled_action:testaction:1
-
- Disable the mmap_low_allowed SELinux Boolean
+
+ Set hostname as computer node name in audit logs
- ocil:ssg-sebool_mmap_low_allowed_action:testaction:1
+ ocil:ssg-auditd_name_format_action:testaction:1
-
- Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
+
+ Verify Group Ownership of System Login Banner for Remote Connections
- ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1
+ ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1
-
- Enable TCP/IP syncookie support
+
+ Enable the pcscd Service
- ocil:ssg-kernel_config_syn_cookies_action:testaction:1
+ ocil:ssg-service_pcscd_enabled_action:testaction:1
-
- Install vim Package
+
+ Configure SSSD to Expire Offline Credentials
- ocil:ssg-package_vim_installed_action:testaction:1
+ ocil:ssg-sssd_offline_cred_expiration_action:testaction:1
-
- Enable GSSAPI Authentication
+
+ Install the Host Intrusion Prevention System (HIPS) Module
- ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1
+ ocil:ssg-package_MFEhiplsm_installed_action:testaction:1
-
- Enable rsyslog Service
+
+ Verify User Who Owns Backup gshadow File
- ocil:ssg-service_rsyslog_enabled_action:testaction:1
+ ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1
-
- Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+
+ Ensure rsyslog is Installed
- ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1
+ ocil:ssg-package_rsyslog_installed_action:testaction:1
/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Virtualization 4
This guide presents a catalog of security-relevant
configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -43,45 +43,39 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -89,53 +83,49 @@
-
+
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -143,19 +133,23 @@
-
+
-
+
+
+
+
+
-
+
-
+
-
+
-
+
@@ -163,14 +157,20 @@
-
+
-
+
-
+
+
+
+
+
+
+
-
+
@@ -1877,6 +1877,16 @@
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2023-02-06 00:00:00.000000000 +0000
@@ -192,7 +192,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -245,78 +245,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -325,63 +309,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -402,39 +372,53 @@
+
+
/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 2023-02-06 00:00:00.000000000 +0000
@@ -194,7 +194,7 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -247,78 +247,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -327,63 +311,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -404,39 +374,53 @@
+
+
/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 2023-02-06 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 7
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,78 +51,62 @@
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
+
-
-
+
-
+
-
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
-
+
-
+
-
+
-
-
+
+
@@ -131,63 +115,49 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -208,39 +178,53 @@
+
+
+
+
RPMS.2017/scap-security-guide-ubuntu-0.1.66-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.66-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-ubuntu-0.1.66-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.66-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-ubuntu
--- old-rpm-tags
+++ new-rpm-tags
@@ -202,4 +202,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html ec7200dcfb49ed0c69ee4152f35dc8dc843771d4dded1260d4db8f5a17f9420f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 2ba02612b1cdb848e6669ecc7bbbe7c37ff732a0d7f558a45e381578dfb87b65 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html dd78b8ee28b5b2fc2774f3750d0c097ff6530573c8f258c638c74b6b2a711892 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html c0e6c721076f8209f4cad5e12d39a8cc2a22cbbcfd4a0157578046b67fb0bc29 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html c8e56c544558660ce5a1d34f9a1fac28d832c15475600b7463b236b9352d48ab 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 3524a61e560a48a3d91eae2e13f861f0e9789f882729dbef82941b6e57cd2acc 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html 796068a2bedc6720920fb13212f3ecb06f385a23d78c7ba80e3a98d8ef1dceb3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html ed185bcb014771f7d72d4512daa64720966c892e946b4f83b302b362ccffcd71 2
@@ -207,6 +207,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html d8bf3e2cd88fd7ead153c68a39123a11a22a0ed22d4fe598776c93c16f56de79 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html b3b0bc3fbbaf8a86a3b21eb1de3110362694da8588ed52e980c83203cd25bca2 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html c6139af381ef7f452f431a1f67dcb0b571188070b843bc3d5648134f901f2cd0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 0b0b0b9304b158a04eac5e51aefa78cd963cdcefc40c68b9ba761b269d1d02f3 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 3d98230a1ba468fa63ed5047ce2d366ff1f9725efffc5ef2525ed9a87f44e3e0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html bfc2a0820520346e64b79d2665ab1f27f0da8d5777a7a4f161673da48a990e76 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 1e8853c105bd622f138c794fe94dd7120e154302f02cdecae5bdb604d73c681b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 588033c1e2e0dbd324e700b523a582a73d558ae607b145acd3a6549a1905300c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html bf49297cca1ff828b8a270b671ca79b9cff8bfcc9c0139da8da325ecc24b4c33 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html c6b69e9f06fc7d007b6b787d2422eff389b3bf3a0ae787b88f97064188356d86 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html e925fc4fdbef5816f6921a4087344b0c0b30811141762094113fd677b8327d6c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html bca3a330e3fa39c20ebc7d1221823b539a210147e67020dad78c1cd0cca2fa25 2
@@ -214,5 +214,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html eaffcfe7e1127ef712fbcd1f3f3ec7bd3478a4d85791b6322691977838cc68f5 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 86db868c179f81935e34768cbf80ca2f32a6b357dfd1d69f58a9dbfba1e77c4a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 9e3d9593c0546ade8209744ea71f9e14aa18afe3513da161cbb4a8aefeb1acfb 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 73dcee53ac761c4b216cb3dce50675dfa2228e6566f739ae724cdabc2125bf99 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 7cc69b66aee6c0ffbc6de974223b9f0234e84f9a543fb9e1d524dad1461b4267 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html ec21d45cd400acba98d6cdc723723c4bb64ca2a2b2a9239049309236edd1df76 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html bff0533fe01f96081788b05b976d167aef28669439c50271be2267d45331dcd7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html ab3e7c62c96ae085d16740666e4d2cddd9e315c69363f4a37ec767bbe1d9544b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 133a093f82836c85888c2100cee97a1309fe6cbdd61cd5b336d09ceacc8b5512 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html fd231f9e1f5caeb8ce0a1893a3cbe5050098bc995a1047e5f26c767922b6ca86 2
@@ -220,6 +220,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html da408f1f42e452dac4f14bb6baeb7e1a9fd6b9f0ee2b0121176376e490c89a29 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 085acd158000e8d187c985ae2078ea88f5cf7119cf99218adb22b017c2b55fb1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html 4a91e69e5cd997cb93c6daff51dfc0fda82c458c8258fc9ad9e88de0b9ce9c01 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 582078ef3d67fa84ef4362a5d33ba20cad02bd8210c4e09295c8a43721169d43 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 21204f064b6eda6453d5fe765ec800030d6b8fff02629537b21e3a0dd083cde0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html a1b1ba44e7c52fa629bcc8f3e843a5cbe7cc6c9870f605e6cc1aa0eca554db81 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html b742071eae2d265fc4a90bb41b892b1c46f39f9c630d183447b72681329dc439 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html d470da03cbcfdfd3bc4659cd40919033ac73209c47ddd9e35721b5f54bc70a45 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html b365ba4a54ca2c5595e6597c377f6da8120eb2ade692514f40f4ebc2555f46dd 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html ca73e3a79ce3e092610f0136d3994cc1c9bd86853cbe50176b6eb7ec2def4caf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 5ab129b8a753bd280d9e861d559ff26f8a9abe09fa186626176017ae9aff0cec 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html 59508a393ac21baaadc24fd04721be46760280b35d2688ce379dc2625dad2112 2
@@ -227 +227 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html de4a1be5f9db15bbfc53f19dea9993267142386f15cd4c73e11d1c779508c020 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html 8521f24a599ab6ba771cddb622da1b2046a34771cf81c7c9fc850542adb7e449 2
@@ -284,3 +284,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 6869db464a6c2c18248e3e4153fe21858f2f6c3ede1584ac5b3162acf46184ab 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 6cef3deb71061d5f3e4c71558b3ea56dc769ef12476f1ce908dcadb4ce62775a 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 8fa338c3e35b13489b0f42de351fd124ced874f812de3445a3c4a3a0812cb886 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 28e9eb8bb81bf6c5a6caeab0c86f9945af56ea3559bf3284f3317216cb775158 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 83053021993249ef059ac493ce5ce24723c82930760a3977ddc26ecce4870cdf 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml b60240fefb5bd76984e6dd3583c8d6e65fd04f905a35df78c1a3864aa8a85ac7 0
@@ -288 +288 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 9ac50163cba37894e30a134e8b3144fa7b0d05127f62883e052bb764a5a95df9 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 3ffeb99df3a34018da795d2f7b0221c347938756fa4aa25dcd88161702185aba 0
@@ -291,3 +291,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 58dd1940788e16b2f5892cbaea42bcab73a1e609e3169f9984e030e014d49e6f 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 5b363dc13bd35b477b6bb23d7b1667774de39ebf1b64eabe79778ce4aea48aa6 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 79b32a25c9b5f076464f1464efe9c18b5f979b1382f8828fd511206bf794bcd7 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml e5fba0b0e4e3da2534e8ea8edd488bdfd8992481d6326ba21dba3711e7bf6d76 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml db8450e8f05927704bd9a127e329d38bd11897837559f05002f234d3987c9690 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml b7097d6a9e1d332ae20ad53fad8e7f837182128092e0ecee1b44295337254121 0
@@ -295 +295 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 89121694992aabf8f3e4dab348175faf226afae54f567c26e1c90d6c304bd185 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml e85ecaf5e90cbd608e5d1a1895be89b4250da3286f4108c9ca142b78bd19b269 0
@@ -298,3 +298,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 1c00358ebd44d35a580e1476d8eca1819363535810b2a305b25ba4fd52e3a8a2 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml bd51d380f2dab7a1f4957c5af0e3b67f24f8d50e21c39f0f4b828db318d60eae 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 9dbf71c77074aee3bf5f6dfa12e3594a7db56a086216032516eb595d353f5cc1 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 38ece3c058de91eac716d52e02b70240c279047f69c2a1fce7fbc860229b3dd6 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 8bb6207e64962a03e926a666301e847b36450f6b5147b958e65301da95f8e892 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 28d5d7bc8c55d4ce3a174a5395a543fb6db21dbd43e4f4a2c2f08abe6f26b60a 0
@@ -302 +302 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 7268e30afac6b8eb04e2f0782bfff0706f025f31a3ed17ffa67fdcb9e5cdf7ae 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 5ad196773d1cafada9b28982a0968883ffcd5dab79c17eb27ad1fb79ad3b4362 0
@@ -305,3 +305,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 2eca8a965a1f04d9e6ab50e4b347486b7477076402e8528df9a5619243fd95e1 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 7fdf426214ed2d4bc03549b16d4df579f4533241190e94ab153f3fd906377198 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 3b59179f935a4a4d8573fecde39a0f858bc63ce7dfd7ed4695caff39333a3b48 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 4fa67ac3332b874311f87a6c27792df52e4c56803db3e619de212e6de961452a 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml c75e7071abcca177ad9d62e018eddb1abbbd88289b6aa22307115feb7ecbd682 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 7443570272292fb92b7f05688e36b265ac66aa45f8417b9b48a24d32477b0ac0 0
@@ -309 +309 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 54ca9dca3aa11d8b645aec789c11d09871f227c5f9fd98447b606c70f3ab862d 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 0b44044a8f381394d56c6f4c1b61e6df743003183de7f79ffb86ef869d07f5e1 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2023-02-06 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 2023-02-06 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 40 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
|
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -507,7 +507,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 22 groups and 46 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,11 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -408,10 +408,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 9 groups and 19 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,7 +243,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow | | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 21 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,11 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -408,10 +408,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 16.04
Group contains 19 groups and 45 rules | | Group
@@ -230,11 +230,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -284,10 +284,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -485,7 +485,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
+ Ensure rsyslog is Installed
+ [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
+system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
+ BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | |
| Rule
- Ensure rsyslog is Installed
- [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
-system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 40 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
Configure Syslog
Group contains 2 groups and 4 rules | [ref]
@@ -387,7 +387,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| | Group
File Permissions and Masks
Group contains 5 groups and 17 rules | [ref]
@@ -507,7 +507,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- GRUB2 bootloader configuration
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 22 groups and 46 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,11 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -408,10 +408,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- File Permissions and Masks
- Services
- APT service configuration
- Deprecated services
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 9 groups and 19 rules | Group
@@ -96,7 +96,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
File Permissions and Masks
Group contains 2 groups and 12 rules | [ref]
@@ -243,7 +243,11 @@
Verify Group Who Owns group File
[ref] | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns gshadow File
[ref] | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow | | Rationale: | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns passwd File
[ref] | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd | | Rationale: | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify Group Who Owns shadow File
[ref] | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow | | Rationale: | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | |
| Rule
Verify User Who Owns group File
[ref] | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group | | Rationale: | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_file_owner_etc_group | | Identifiers and References | References:
- 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- APT service configuration
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 45 rules | Group
@@ -165,7 +165,22 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | | |
| Rule
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
+ BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| Rule
- Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
- [ref] | The sudo NOPASSWD tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the NOPASSWD tag does not exist in
-/etc/sudoers configuration file or any sudo configuration snippets
-in /etc/sudoers.d/. | | Rationale: | Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | | Identifiers and References | References:
- BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490 | |
| | Group
System Accounting with auditd
Group contains 2 rules | [ref]
@@ -354,11 +354,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -408,10 +408,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 21 groups and 71 rules | | Group
@@ -339,327 +339,7 @@
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 18.04
Group contains 19 groups and 45 rules | | Group
@@ -228,11 +228,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -282,10 +282,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -483,7 +483,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7 | | |
| Rule
+ Ensure rsyslog is Installed
+ [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
+system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
+ BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | |
| Rule
- Ensure rsyslog is Installed
- [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
-system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 87 groups and 198 rules | | Group
@@ -110,11 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,32 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ apt-get remove prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.6.3 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 85 groups and 197 rules | | Group
@@ -110,11 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,32 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ apt-get remove prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.6.3 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 98 groups and 282 rules | | Group
@@ -110,11 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,32 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ apt-get remove prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.6.3 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 98 groups and 284 rules | | Group
@@ -110,11 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -166,7 +166,32 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.4.1 | | |
| Rule
Configure Periodic Execution of AIDE
[ref] | At a minimum, AIDE should be configured to run a weekly scan.
@@ -281,7 +281,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ apt-get remove prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.6.3 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Apport Service
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 22 groups and 45 rules | | Group
@@ -257,11 +257,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, UBTU-20-010182, 4.1.1.1 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -312,10 +312,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190, 4.1.1.2 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -513,7 +513,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7, 4.3 | | |
| Rule
+ Ensure rsyslog is Installed
+ [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
+system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
+ BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.1.1 | |
| Rule
- Ensure rsyslog is Installed
- [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
-system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.1.1 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- APT service configuration
- Base Services
- Deprecated services
- Network Time Protocol
- Obsolete Services
- SSH Server
- System Security Services Daemon
Checklist| Group
Guide to the Secure Configuration of Ubuntu 20.04
Group contains 75 groups and 191 rules | | Group
@@ -112,11 +112,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, UBTU-20-010450, 1.4.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -263,7 +263,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, UBTU-20-010074, 1.4.2 | | |
| | Group
Federal Information Processing Standard (FIPS)
Group contains 1 rule | [ref]
@@ -725,7 +725,37 @@
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_sudo_require_authentication | | Identifiers and References | References:
- 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, UBTU-20-010014 | | |
| | Group
Updating Software
Group contains 1 rule | [ref]
@@ -1134,28 +1134,7 @@
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_banner_etc_issue_net | | Identifiers and References | References:
- CCI-000048, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, UBTU-20-010038 | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Apport Service
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 96 groups and 251 rules | | Group
@@ -110,11 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,32 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -374,7 +374,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ apt-get remove prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.5.2 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Apport Service
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 92 groups and 245 rules | | Group
@@ -110,11 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,32 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -374,7 +374,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ apt-get remove prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.5.2 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Apport Service
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
- X Window System
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 107 groups and 344 rules | | Group
@@ -110,11 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,32 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -374,7 +374,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ apt-get remove prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.5.2 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- Account and Access Control
- System Accounting with auditd
- AppArmor
- GRUB2 bootloader configuration
- Configure Syslog
- Network Configuration and Firewalls
- File Permissions and Masks
- Services
- Apport Service
- Avahi Server
- Cron and At Daemons
- Deprecated services
- DHCP
- DNS Server
- FTP Server
- Web Server
- IMAP and POP3 Server
- LDAP
- Mail Server Software
- NFS and RPC
- Network Time Protocol
- Obsolete Services
- Print Support
- Proxy Server
- Samba(SMB) Microsoft Windows File Sharing Server
- SNMP Server
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 105 groups and 342 rules | | Group
@@ -110,11 +110,26 @@
[ref] | The aide package can be installed with the following command:
$ apt-get install aide | | Rationale: | The AIDE package must be installed if it is to be available for integrity checking. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_aide_installed | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Build and Test AIDE Database
[ref] | Run the following command to generate a new database:
@@ -165,7 +165,32 @@
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate. | | Rationale: | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_build_database | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000445-GPOS-00199, 1.3.1 | | |
| Rule
Configure AIDE to Verify the Audit Tools
[ref] | The operating system file integrity tool must be configured to protect the integrity of the audit tools. | | Rationale: | Protecting the integrity of the tools used for auditing purposes is a
@@ -374,7 +374,21 @@
system. The operating system's Information Management Officer (IMO)/Information System
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | | Identifiers and References | References:
- BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 | | |
| Rule
Package "prelink" Must not be Installed
[ref] | The prelink package can be removed with the following command:
$ apt-get remove prelink | | Rationale: | The use of the prelink package can interfere with the operation of AIDE since it binaries.
Prelinking can also increase damage caused by vulnerability in a common library like libc. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_prelink_removed | | Identifiers and References | References:
- 1.5.2 | | Profile InformationCPE Platforms- cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~
Revision HistoryCurrent version: 0.1.66 - draft
- (as of 2023-02-07)
+ (as of 2039-03-12)
Table of Contents- System Settings
- Installing and Maintaining Software
- System Accounting with auditd
- Configure Syslog
- File Permissions and Masks
- Services
- Apport Service
- Cron and At Daemons
- Deprecated services
- Network Time Protocol
- SSH Server
Checklist| Group
Guide to the Secure Configuration of Ubuntu 22.04
Group contains 20 groups and 44 rules | | Group
@@ -228,11 +228,26 @@
| Rule
Ensure the audit Subsystem is Installed
[ref] | The audit package should be installed. | | Rationale: | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_audit_installed | | Identifiers and References | References:
- BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, Req-10.2.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, 4.1.1.1 | | |
| Rule
Enable auditd Service
[ref] | The auditd service is an essential userspace component of
@@ -282,10 +282,29 @@
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_service_auditd_enabled | | Identifiers and References | References:
- 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190, 4.1.1.2 | | |
| | Group
Configure Syslog
Group contains 2 groups and 6 rules | [ref]
@@ -483,7 +483,28 @@
daily | | Rationale: | Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | | Identifiers and References | References:
- BP28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, Req-10.7, 4.3 | | |
| Rule
+ Ensure rsyslog is Installed
+ [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
+system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
+ BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.2.1 | |
| Rule
- Ensure rsyslog is Installed
- [ref] | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog | | Rationale: | The rsyslog package provides the rsyslog daemon, which provides
-system logging services. | | Severity: | medium | | Rule ID: | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | | Identifiers and References | References:
- BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, 4.2.2.1 | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|