From 9ccf5607d22b1b105ce7c3837f3935df8d47d83e Mon Sep 17 00:00:00 2001 From: Automated Publisher Date: Thu, 9 Nov 2023 00:09:45 +0000 Subject: [PATCH] Automated publish: Thu Nov 9 00:09:45 UTC 2023 ee580fbd90f0c46dbea07f075cfb447345b92c22 --- rhel8-playbook-stig.yml | 155 + rhel8-script-stig.sh | 1739 +- ssg-rhel8-ds-1.2.xml | 26892 ++++++++++---------- ssg-rhel8-ds.xml | 26892 ++++++++++---------- ssg-rhel8-guide-stig.html | 2978 ++- table-rhel8-srgmap-flat.html | 43642 +++++++++++++++++---------------- 6 files changed, 51599 insertions(+), 50699 deletions(-) diff --git a/rhel8-playbook-stig.yml b/rhel8-playbook-stig.yml index 3cad7c8..d55c525 100644 --- a/rhel8-playbook-stig.yml +++ b/rhel8-playbook-stig.yml @@ -2504,6 +2504,62 @@ - unknown_strategy + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-87261-4 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020082 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + - name: Prevent user modification of GNOME Screensaver lock-enabled + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-enabled$ + line: /org/gnome/desktop/screensaver/lock-enabled + create: true + when: '"gdm" in ansible_facts.packages' + tags: + - CCE-87261-4 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020082 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + - name: Dconf Update + command: dconf update + when: '"gdm" in ansible_facts.packages' + tags: + - CCE-87261-4 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020082 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + - name: Gather the package facts package_facts: manager: auto @@ -35147,6 +35203,66 @@ - restrict_strategy + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86506-3 + - DISA-STIG-RHEL-08-040150 + - NIST-800-53-SC-5 + - firewalld-backend + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + - name: Setting unquoted shell-style assignment of 'FirewallBackend' to 'nftables' + in '/etc/firewalld/firewalld.conf' + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/firewalld/firewalld.conf + create: true + regexp: ^\s*FirewallBackend= + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/firewalld/firewalld.conf + lineinfile: + path: /etc/firewalld/firewalld.conf + create: true + regexp: ^\s*FirewallBackend= + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/firewalld/firewalld.conf + lineinfile: + path: /etc/firewalld/firewalld.conf + create: true + regexp: ^\s*FirewallBackend= + line: FirewallBackend=nftables + state: present + insertbefore: ^# FirewallBackend + validate: /usr/bin/bash -n %s + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"firewalld" in ansible_facts.packages' + tags: + - CCE-86506-3 + - DISA-STIG-RHEL-08-040150 + - NIST-800-53-SC-5 + - firewalld-backend + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + - name: Ensure firewalld is installed package: name: firewalld @@ -41079,6 +41195,45 @@ - no_reboot_needed + - name: Ensure kernel module 'uvcvideo' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/uvcvideo.conf + regexp: install\s+uvcvideo + line: install uvcvideo /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86960-2 + - DISA-STIG-RHEL-08-040020 + - NIST-800-53-CM-7 (5) (b) + - NIST-800-53-CM-7 (a) + - disable_strategy + - kernel_module_uvcvideo_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + - name: Ensure kernel module 'uvcvideo' is blacklisted + lineinfile: + create: true + dest: /etc/modprobe.d/uvcvideo.conf + regexp: ^blacklist uvcvideo$ + line: blacklist uvcvideo + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-86960-2 + - DISA-STIG-RHEL-08-040020 + - NIST-800-53-CM-7 (5) (b) + - NIST-800-53-CM-7 (a) + - disable_strategy + - kernel_module_uvcvideo_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + - name: List /etc/sysctl.d/*.conf files find: paths: diff --git a/rhel8-script-stig.sh b/rhel8-script-stig.sh index a8063ef..945fb03 100644 --- a/rhel8-script-stig.sh +++ b/rhel8-script-stig.sh @@ -32,9 +32,9 @@ ############################################################################### ############################################################################### -# BEGIN fix (1 / 403) for 'xccdf_org.ssgproject.content_rule_package_aide_installed' +# BEGIN fix (1 / 410) for 'xccdf_org.ssgproject.content_rule_package_aide_installed' ############################################################################### -(>&2 echo "Remediating rule 1/403: 'xccdf_org.ssgproject.content_rule_package_aide_installed'") +(>&2 echo "Remediating rule 1/410: 'xccdf_org.ssgproject.content_rule_package_aide_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -49,9 +49,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_aide_installed' ############################################################################### -# BEGIN fix (2 / 403) for 'xccdf_org.ssgproject.content_rule_aide_build_database' +# BEGIN fix (2 / 410) for 'xccdf_org.ssgproject.content_rule_aide_build_database' ############################################################################### -(>&2 echo "Remediating rule 2/403: 'xccdf_org.ssgproject.content_rule_aide_build_database'") +(>&2 echo "Remediating rule 2/410: 'xccdf_org.ssgproject.content_rule_aide_build_database'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -69,9 +69,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_aide_build_database' ############################################################################### -# BEGIN fix (3 / 403) for 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools' +# BEGIN fix (3 / 410) for 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools' ############################################################################### -(>&2 echo "Remediating rule 3/403: 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools'") +(>&2 echo "Remediating rule 3/410: 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -137,9 +137,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools' ############################################################################### -# BEGIN fix (4 / 403) for 'xccdf_org.ssgproject.content_rule_aide_scan_notification' +# BEGIN fix (4 / 410) for 'xccdf_org.ssgproject.content_rule_aide_scan_notification' ############################################################################### -(>&2 echo "Remediating rule 4/403: 'xccdf_org.ssgproject.content_rule_aide_scan_notification'") +(>&2 echo "Remediating rule 4/410: 'xccdf_org.ssgproject.content_rule_aide_scan_notification'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -173,9 +173,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_aide_scan_notification' ############################################################################### -# BEGIN fix (5 / 403) for 'xccdf_org.ssgproject.content_rule_aide_verify_acls' +# BEGIN fix (5 / 410) for 'xccdf_org.ssgproject.content_rule_aide_verify_acls' ############################################################################### -(>&2 echo "Remediating rule 5/403: 'xccdf_org.ssgproject.content_rule_aide_verify_acls'") +(>&2 echo "Remediating rule 5/410: 'xccdf_org.ssgproject.content_rule_aide_verify_acls'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -210,9 +210,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_aide_verify_acls' ############################################################################### -# BEGIN fix (6 / 403) for 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes' +# BEGIN fix (6 / 410) for 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes' ############################################################################### -(>&2 echo "Remediating rule 6/403: 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes'") +(>&2 echo "Remediating rule 6/410: 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -247,9 +247,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes' ############################################################################### -# BEGIN fix (7 / 403) for 'xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership' +# BEGIN fix (7 / 410) for 'xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership' ############################################################################### -(>&2 echo "Remediating rule 7/403: 'xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership'") +(>&2 echo "Remediating rule 7/410: 'xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -268,9 +268,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership' ############################################################################### -# BEGIN fix (8 / 403) for 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership' +# BEGIN fix (8 / 410) for 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership' ############################################################################### -(>&2 echo "Remediating rule 8/403: 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership'") +(>&2 echo "Remediating rule 8/410: 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -289,9 +289,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership' ############################################################################### -# BEGIN fix (9 / 403) for 'xccdf_org.ssgproject.content_rule_file_audit_tools_permissions' +# BEGIN fix (9 / 410) for 'xccdf_org.ssgproject.content_rule_file_audit_tools_permissions' ############################################################################### -(>&2 echo "Remediating rule 9/403: 'xccdf_org.ssgproject.content_rule_file_audit_tools_permissions'") +(>&2 echo "Remediating rule 9/410: 'xccdf_org.ssgproject.content_rule_file_audit_tools_permissions'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -316,9 +316,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_file_audit_tools_permissions' ############################################################################### -# BEGIN fix (10 / 403) for 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module' +# BEGIN fix (10 / 410) for 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module' ############################################################################### -(>&2 echo "Remediating rule 10/403: 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'") +(>&2 echo "Remediating rule 10/410: 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then @@ -335,9 +335,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module' ############################################################################### -# BEGIN fix (11 / 403) for 'xccdf_org.ssgproject.content_rule_enable_fips_mode' +# BEGIN fix (11 / 410) for 'xccdf_org.ssgproject.content_rule_enable_fips_mode' ############################################################################### -(>&2 echo "Remediating rule 11/403: 'xccdf_org.ssgproject.content_rule_enable_fips_mode'") +(>&2 echo "Remediating rule 11/410: 'xccdf_org.ssgproject.content_rule_enable_fips_mode'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -368,17 +368,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_enable_fips_mode' ############################################################################### -# BEGIN fix (12 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled' +# BEGIN fix (12 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled' ############################################################################### -(>&2 echo "Remediating rule 12/403: 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled'") +(>&2 echo "Remediating rule 12/410: 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled' ############################################################################### -# BEGIN fix (13 / 403) for 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy' +# BEGIN fix (13 / 410) for 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 13/403: 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy'") +(>&2 echo "Remediating rule 13/410: 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy'") function remediate_bind_crypto_policy() { CONFIG_FILE="/etc/named.conf" @@ -396,9 +396,9 @@ remediate_bind_crypto_policy # END fix for 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy' ############################################################################### -# BEGIN fix (14 / 403) for 'xccdf_org.ssgproject.content_rule_configure_crypto_policy' +# BEGIN fix (14 / 410) for 'xccdf_org.ssgproject.content_rule_configure_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 14/403: 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'") +(>&2 echo "Remediating rule 14/410: 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'") var_system_crypto_policy='FIPS' @@ -421,9 +421,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_configure_crypto_policy' ############################################################################### -# BEGIN fix (15 / 403) for 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy' +# BEGIN fix (15 / 410) for 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 15/403: 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy'") +(>&2 echo "Remediating rule 15/410: 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy'") CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' @@ -450,9 +450,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy' ############################################################################### -# BEGIN fix (16 / 403) for 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy' +# BEGIN fix (16 / 410) for 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 16/403: 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy'") +(>&2 echo "Remediating rule 16/410: 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy'") rm -f /etc/krb5.conf.d/crypto-policies ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies @@ -460,9 +460,9 @@ ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policie # END fix for 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy' ############################################################################### -# BEGIN fix (17 / 403) for 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' +# BEGIN fix (17 / 410) for 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 17/403: 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy'") +(>&2 echo "Remediating rule 17/410: 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy'") function remediate_libreswan_crypto_policy() { CONFIG_FILE="/etc/ipsec.conf" @@ -478,9 +478,9 @@ remediate_libreswan_crypto_policy # END fix for 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' ############################################################################### -# BEGIN fix (18 / 403) for 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy' +# BEGIN fix (18 / 410) for 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 18/403: 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy'") +(>&2 echo "Remediating rule 18/410: 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy'") OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' @@ -515,17 +515,17 @@ remediate_openssl_crypto_policy # END fix for 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy' ############################################################################### -# BEGIN fix (19 / 403) for 'xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy' +# BEGIN fix (19 / 410) for 'xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 19/403: 'xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy'") +(>&2 echo "Remediating rule 19/410: 'xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy' ############################################################################### -# BEGIN fix (20 / 403) for 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy' +# BEGIN fix (20 / 410) for 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 20/403: 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy'") +(>&2 echo "Remediating rule 20/410: 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy'") SSH_CONF="/etc/sysconfig/sshd" @@ -534,9 +534,9 @@ sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF # END fix for 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy' ############################################################################### -# BEGIN fix (21 / 403) for 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' +# BEGIN fix (21 / 410) for 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 21/403: 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy'") +(>&2 echo "Remediating rule 21/410: 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy'") sshd_approved_ciphers='aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' @@ -559,9 +559,9 @@ rm "/etc/crypto-policies/back-ends/openssh.config.bak" # END fix for 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' ############################################################################### -# BEGIN fix (22 / 403) for 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' +# BEGIN fix (22 / 410) for 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 22/403: 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy'") +(>&2 echo "Remediating rule 22/410: 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy'") sshd_approved_ciphers='aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' @@ -597,9 +597,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' ############################################################################### -# BEGIN fix (23 / 403) for 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' +# BEGIN fix (23 / 410) for 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 23/403: 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy'") +(>&2 echo "Remediating rule 23/410: 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy'") sshd_approved_macs='hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com' @@ -622,9 +622,9 @@ rm "/etc/crypto-policies/back-ends/openssh.config.bak" # END fix for 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' ############################################################################### -# BEGIN fix (24 / 403) for 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' +# BEGIN fix (24 / 410) for 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' ############################################################################### -(>&2 echo "Remediating rule 24/403: 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy'") +(>&2 echo "Remediating rule 24/410: 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy'") sshd_approved_macs='hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com' @@ -660,89 +660,89 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' ############################################################################### -# BEGIN fix (25 / 403) for 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' +# BEGIN fix (25 / 410) for 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' ############################################################################### -(>&2 echo "Remediating rule 25/403: 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported'") +(>&2 echo "Remediating rule 25/410: 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' ############################################################################### -# BEGIN fix (26 / 403) for 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed' +# BEGIN fix (26 / 410) for 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed' ############################################################################### -(>&2 echo "Remediating rule 26/403: 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed'") +(>&2 echo "Remediating rule 26/410: 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_package_mcafeetp_installed' ############################################################################### -# BEGIN fix (27 / 403) for 'xccdf_org.ssgproject.content_rule_agent_mfetpd_running' +# BEGIN fix (27 / 410) for 'xccdf_org.ssgproject.content_rule_agent_mfetpd_running' ############################################################################### -(>&2 echo "Remediating rule 27/403: 'xccdf_org.ssgproject.content_rule_agent_mfetpd_running'") +(>&2 echo "Remediating rule 27/410: 'xccdf_org.ssgproject.content_rule_agent_mfetpd_running'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_agent_mfetpd_running' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_agent_mfetpd_running' ############################################################################### -# BEGIN fix (28 / 403) for 'xccdf_org.ssgproject.content_rule_encrypt_partitions' +# BEGIN fix (28 / 410) for 'xccdf_org.ssgproject.content_rule_encrypt_partitions' ############################################################################### -(>&2 echo "Remediating rule 28/403: 'xccdf_org.ssgproject.content_rule_encrypt_partitions'") +(>&2 echo "Remediating rule 28/410: 'xccdf_org.ssgproject.content_rule_encrypt_partitions'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_encrypt_partitions' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_encrypt_partitions' ############################################################################### -# BEGIN fix (29 / 403) for 'xccdf_org.ssgproject.content_rule_partition_for_home' +# BEGIN fix (29 / 410) for 'xccdf_org.ssgproject.content_rule_partition_for_home' ############################################################################### -(>&2 echo "Remediating rule 29/403: 'xccdf_org.ssgproject.content_rule_partition_for_home'") +(>&2 echo "Remediating rule 29/410: 'xccdf_org.ssgproject.content_rule_partition_for_home'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_partition_for_home' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_partition_for_home' ############################################################################### -# BEGIN fix (30 / 403) for 'xccdf_org.ssgproject.content_rule_partition_for_tmp' +# BEGIN fix (30 / 410) for 'xccdf_org.ssgproject.content_rule_partition_for_tmp' ############################################################################### -(>&2 echo "Remediating rule 30/403: 'xccdf_org.ssgproject.content_rule_partition_for_tmp'") +(>&2 echo "Remediating rule 30/410: 'xccdf_org.ssgproject.content_rule_partition_for_tmp'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_partition_for_tmp' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_partition_for_tmp' ############################################################################### -# BEGIN fix (31 / 403) for 'xccdf_org.ssgproject.content_rule_partition_for_var' +# BEGIN fix (31 / 410) for 'xccdf_org.ssgproject.content_rule_partition_for_var' ############################################################################### -(>&2 echo "Remediating rule 31/403: 'xccdf_org.ssgproject.content_rule_partition_for_var'") +(>&2 echo "Remediating rule 31/410: 'xccdf_org.ssgproject.content_rule_partition_for_var'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_partition_for_var' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_partition_for_var' ############################################################################### -# BEGIN fix (32 / 403) for 'xccdf_org.ssgproject.content_rule_partition_for_var_log' +# BEGIN fix (32 / 410) for 'xccdf_org.ssgproject.content_rule_partition_for_var_log' ############################################################################### -(>&2 echo "Remediating rule 32/403: 'xccdf_org.ssgproject.content_rule_partition_for_var_log'") +(>&2 echo "Remediating rule 32/410: 'xccdf_org.ssgproject.content_rule_partition_for_var_log'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_partition_for_var_log' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_partition_for_var_log' ############################################################################### -# BEGIN fix (33 / 403) for 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' +# BEGIN fix (33 / 410) for 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' ############################################################################### -(>&2 echo "Remediating rule 33/403: 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit'") +(>&2 echo "Remediating rule 33/410: 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' ############################################################################### -# BEGIN fix (34 / 403) for 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' +# BEGIN fix (34 / 410) for 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' ############################################################################### -(>&2 echo "Remediating rule 34/403: 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'") +(>&2 echo "Remediating rule 34/410: 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' ############################################################################### -# BEGIN fix (35 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list' +# BEGIN fix (35 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list' ############################################################################### -(>&2 echo "Remediating rule 35/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list'") +(>&2 echo "Remediating rule 35/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -808,9 +808,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list' ############################################################################### -# BEGIN fix (36 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal' +# BEGIN fix (36 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal' ############################################################################### -(>&2 echo "Remediating rule 36/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal'") +(>&2 echo "Remediating rule 36/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -876,9 +876,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal' ############################################################################### -# BEGIN fix (37 / 403) for 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login' +# BEGIN fix (37 / 410) for 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login' ############################################################################### -(>&2 echo "Remediating rule 37/403: 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login'") +(>&2 echo "Remediating rule 37/410: 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -900,9 +900,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login' ############################################################################### -# BEGIN fix (38 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' +# BEGIN fix (38 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' ############################################################################### -(>&2 echo "Remediating rule 38/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'") +(>&2 echo "Remediating rule 38/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -952,9 +952,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' ############################################################################### -# BEGIN fix (39 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' +# BEGIN fix (39 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' ############################################################################### -(>&2 echo "Remediating rule 39/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'") +(>&2 echo "Remediating rule 39/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -1004,9 +1004,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' ############################################################################### -# BEGIN fix (40 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' +# BEGIN fix (40 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' ############################################################################### -(>&2 echo "Remediating rule 40/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'") +(>&2 echo "Remediating rule 40/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -1072,9 +1072,42 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' ############################################################################### -# BEGIN fix (41 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' +# BEGIN fix (41 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked' ############################################################################### -(>&2 echo "Remediating rule 41/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'") +(>&2 echo "Remediating rule 41/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked'") +# Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \ + | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +# Comment out the configurations in databases different from the target one +if [[ ! -z "${LOCKFILES}" ]] +then + sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}" +fi + +if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/ +then + echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + +# END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked' + +############################################################################### +# BEGIN fix (42 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' +############################################################################### +(>&2 echo "Remediating rule 42/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -1105,9 +1138,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' ############################################################################### -# BEGIN fix (42 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' +# BEGIN fix (43 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' ############################################################################### -(>&2 echo "Remediating rule 42/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'") +(>&2 echo "Remediating rule 43/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -1138,9 +1171,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' ############################################################################### -# BEGIN fix (43 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot' +# BEGIN fix (44 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot' ############################################################################### -(>&2 echo "Remediating rule 43/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot'") +(>&2 echo "Remediating rule 44/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -1206,9 +1239,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot' ############################################################################### -# BEGIN fix (44 / 403) for 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate' +# BEGIN fix (45 / 410) for 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate' ############################################################################### -(>&2 echo "Remediating rule 44/403: 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate'") +(>&2 echo "Remediating rule 45/410: 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate'") for f in /etc/sudoers /etc/sudoers.d/* ; do if [ ! -e "$f" ] ; then @@ -1228,9 +1261,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate' ############################################################################### -# BEGIN fix (45 / 403) for 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd' +# BEGIN fix (46 / 410) for 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd' ############################################################################### -(>&2 echo "Remediating rule 45/403: 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd'") +(>&2 echo "Remediating rule 46/410: 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd'") for f in /etc/sudoers /etc/sudoers.d/* ; do if [ ! -e "$f" ] ; then @@ -1250,9 +1283,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd' ############################################################################### -# BEGIN fix (46 / 403) for 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' +# BEGIN fix (47 / 410) for 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' ############################################################################### -(>&2 echo "Remediating rule 46/403: 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'") +(>&2 echo "Remediating rule 47/410: 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'") # Remediation is applicable only in certain platforms if rpm --quiet -q sudo; then @@ -1296,17 +1329,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' ############################################################################### -# BEGIN fix (47 / 403) for 'xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized' +# BEGIN fix (48 / 410) for 'xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized' ############################################################################### -(>&2 echo "Remediating rule 47/403: 'xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized'") +(>&2 echo "Remediating rule 48/410: 'xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized' ############################################################################### -# BEGIN fix (48 / 403) for 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' +# BEGIN fix (49 / 410) for 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' ############################################################################### -(>&2 echo "Remediating rule 48/403: 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir'") +(>&2 echo "Remediating rule 49/410: 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir'") sudoers_config_file="/etc/sudoers" sudoers_config_dir="/etc/sudoers.d" @@ -1331,9 +1364,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sudoers_default_includedir' ############################################################################### -# BEGIN fix (49 / 403) for 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd' +# BEGIN fix (50 / 410) for 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd' ############################################################################### -(>&2 echo "Remediating rule 49/403: 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd'") +(>&2 echo "Remediating rule 50/410: 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd'") # Remediation is applicable only in certain platforms if rpm --quiet -q sudo; then @@ -1406,9 +1439,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd' ############################################################################### -# BEGIN fix (50 / 403) for 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' +# BEGIN fix (51 / 410) for 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' ############################################################################### -(>&2 echo "Remediating rule 50/403: 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed'") +(>&2 echo "Remediating rule 51/410: 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -1423,9 +1456,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed' ############################################################################### -# BEGIN fix (51 / 403) for 'xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed' +# BEGIN fix (52 / 410) for 'xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed' ############################################################################### -(>&2 echo "Remediating rule 51/403: 'xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed'") +(>&2 echo "Remediating rule 52/410: 'xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed'") # CAUTION: This remediation script will remove abrt-addon-ccpp # from the system, and may remove any packages @@ -1442,9 +1475,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed' ############################################################################### -# BEGIN fix (52 / 403) for 'xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed' +# BEGIN fix (53 / 410) for 'xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed' ############################################################################### -(>&2 echo "Remediating rule 52/403: 'xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed'") +(>&2 echo "Remediating rule 53/410: 'xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed'") # CAUTION: This remediation script will remove abrt-addon-kerneloops # from the system, and may remove any packages @@ -1461,9 +1494,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed' ############################################################################### -# BEGIN fix (53 / 403) for 'xccdf_org.ssgproject.content_rule_package_abrt-cli_removed' +# BEGIN fix (54 / 410) for 'xccdf_org.ssgproject.content_rule_package_abrt-cli_removed' ############################################################################### -(>&2 echo "Remediating rule 53/403: 'xccdf_org.ssgproject.content_rule_package_abrt-cli_removed'") +(>&2 echo "Remediating rule 54/410: 'xccdf_org.ssgproject.content_rule_package_abrt-cli_removed'") # CAUTION: This remediation script will remove abrt-cli # from the system, and may remove any packages @@ -1480,9 +1513,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_abrt-cli_removed' ############################################################################### -# BEGIN fix (54 / 403) for 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed' +# BEGIN fix (55 / 410) for 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed' ############################################################################### -(>&2 echo "Remediating rule 54/403: 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed'") +(>&2 echo "Remediating rule 55/410: 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed'") # CAUTION: This remediation script will remove abrt-plugin-sosreport # from the system, and may remove any packages @@ -1499,9 +1532,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed' ############################################################################### -# BEGIN fix (55 / 403) for 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed' +# BEGIN fix (56 / 410) for 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed' ############################################################################### -(>&2 echo "Remediating rule 55/403: 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed'") +(>&2 echo "Remediating rule 56/410: 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed'") # CAUTION: This remediation script will remove gssproxy # from the system, and may remove any packages @@ -1518,9 +1551,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed' ############################################################################### -# BEGIN fix (56 / 403) for 'xccdf_org.ssgproject.content_rule_package_iprutils_removed' +# BEGIN fix (57 / 410) for 'xccdf_org.ssgproject.content_rule_package_iprutils_removed' ############################################################################### -(>&2 echo "Remediating rule 56/403: 'xccdf_org.ssgproject.content_rule_package_iprutils_removed'") +(>&2 echo "Remediating rule 57/410: 'xccdf_org.ssgproject.content_rule_package_iprutils_removed'") # CAUTION: This remediation script will remove iprutils # from the system, and may remove any packages @@ -1537,9 +1570,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_iprutils_removed' ############################################################################### -# BEGIN fix (57 / 403) for 'xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed' +# BEGIN fix (58 / 410) for 'xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed' ############################################################################### -(>&2 echo "Remediating rule 57/403: 'xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed'") +(>&2 echo "Remediating rule 58/410: 'xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed'") # CAUTION: This remediation script will remove krb5-workstation # from the system, and may remove any packages @@ -1556,9 +1589,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed' ############################################################################### -# BEGIN fix (58 / 403) for 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed' +# BEGIN fix (59 / 410) for 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed' ############################################################################### -(>&2 echo "Remediating rule 58/403: 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed'") +(>&2 echo "Remediating rule 59/410: 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed'") # CAUTION: This remediation script will remove libreport-plugin-logger # from the system, and may remove any packages @@ -1575,9 +1608,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed' ############################################################################### -# BEGIN fix (59 / 403) for 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed' +# BEGIN fix (60 / 410) for 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed' ############################################################################### -(>&2 echo "Remediating rule 59/403: 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed'") +(>&2 echo "Remediating rule 60/410: 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed'") # CAUTION: This remediation script will remove libreport-plugin-rhtsupport # from the system, and may remove any packages @@ -1594,9 +1627,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed' ############################################################################### -# BEGIN fix (60 / 403) for 'xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed' +# BEGIN fix (61 / 410) for 'xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed' ############################################################################### -(>&2 echo "Remediating rule 60/403: 'xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed'") +(>&2 echo "Remediating rule 61/410: 'xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed'") # CAUTION: This remediation script will remove python3-abrt-addon # from the system, and may remove any packages @@ -1613,9 +1646,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed' ############################################################################### -# BEGIN fix (61 / 403) for 'xccdf_org.ssgproject.content_rule_package_tuned_removed' +# BEGIN fix (62 / 410) for 'xccdf_org.ssgproject.content_rule_package_tuned_removed' ############################################################################### -(>&2 echo "Remediating rule 61/403: 'xccdf_org.ssgproject.content_rule_package_tuned_removed'") +(>&2 echo "Remediating rule 62/410: 'xccdf_org.ssgproject.content_rule_package_tuned_removed'") # CAUTION: This remediation script will remove tuned # from the system, and may remove any packages @@ -1632,9 +1665,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_tuned_removed' ############################################################################### -# BEGIN fix (62 / 403) for 'xccdf_org.ssgproject.content_rule_clean_components_post_updating' +# BEGIN fix (63 / 410) for 'xccdf_org.ssgproject.content_rule_clean_components_post_updating' ############################################################################### -(>&2 echo "Remediating rule 62/403: 'xccdf_org.ssgproject.content_rule_clean_components_post_updating'") +(>&2 echo "Remediating rule 63/410: 'xccdf_org.ssgproject.content_rule_clean_components_post_updating'") # Remediation is applicable only in certain platforms if rpm --quiet -q yum; then @@ -1652,9 +1685,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_clean_components_post_updating' ############################################################################### -# BEGIN fix (63 / 403) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated' +# BEGIN fix (64 / 410) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated' ############################################################################### -(>&2 echo "Remediating rule 63/403: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated'") +(>&2 echo "Remediating rule 64/410: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated'") # Remediation is applicable only in certain platforms if rpm --quiet -q yum; then @@ -1687,9 +1720,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated' ############################################################################### -# BEGIN fix (64 / 403) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages' +# BEGIN fix (65 / 410) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages' ############################################################################### -(>&2 echo "Remediating rule 64/403: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages'") +(>&2 echo "Remediating rule 65/410: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages'") # Remediation is applicable only in certain platforms if rpm --quiet -q yum; then @@ -1722,18 +1755,18 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages' ############################################################################### -# BEGIN fix (65 / 403) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled' +# BEGIN fix (66 / 410) for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled' ############################################################################### -(>&2 echo "Remediating rule 65/403: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'") +(>&2 echo "Remediating rule 66/410: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'") sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* # END fix for 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled' ############################################################################### -# BEGIN fix (66 / 403) for 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' +# BEGIN fix (67 / 410) for 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' ############################################################################### -(>&2 echo "Remediating rule 66/403: 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'") +(>&2 echo "Remediating rule 67/410: 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'") # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" @@ -1765,9 +1798,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' ############################################################################### -# BEGIN fix (67 / 403) for 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date' +# BEGIN fix (68 / 410) for 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date' ############################################################################### -(>&2 echo "Remediating rule 67/403: 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date'") +(>&2 echo "Remediating rule 68/410: 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date'") yum -y update @@ -1775,9 +1808,9 @@ yum -y update # END fix for 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date' ############################################################################### -# BEGIN fix (68 / 403) for 'xccdf_org.ssgproject.content_rule_enable_authselect' +# BEGIN fix (69 / 410) for 'xccdf_org.ssgproject.content_rule_enable_authselect' ############################################################################### -(>&2 echo "Remediating rule 68/403: 'xccdf_org.ssgproject.content_rule_enable_authselect'") +(>&2 echo "Remediating rule 69/410: 'xccdf_org.ssgproject.content_rule_enable_authselect'") var_authselect_profile='sssd' @@ -1795,9 +1828,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_enable_authselect' ############################################################################### -# BEGIN fix (69 / 403) for 'xccdf_org.ssgproject.content_rule_banner_etc_issue' +# BEGIN fix (70 / 410) for 'xccdf_org.ssgproject.content_rule_banner_etc_issue' ############################################################################### -(>&2 echo "Remediating rule 69/403: 'xccdf_org.ssgproject.content_rule_banner_etc_issue'") +(>&2 echo "Remediating rule 70/410: 'xccdf_org.ssgproject.content_rule_banner_etc_issue'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -1828,9 +1861,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_banner_etc_issue' ############################################################################### -# BEGIN fix (70 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled' +# BEGIN fix (71 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled' ############################################################################### -(>&2 echo "Remediating rule 70/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'") +(>&2 echo "Remediating rule 71/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm; then @@ -1896,9 +1929,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled' ############################################################################### -# BEGIN fix (71 / 403) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' +# BEGIN fix (72 / 410) for 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' ############################################################################### -(>&2 echo "Remediating rule 71/403: 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text'") +(>&2 echo "Remediating rule 72/410: 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text'") # Remediation is applicable only in certain platforms if rpm --quiet -q gdm; then @@ -1983,9 +2016,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' ############################################################################### -# BEGIN fix (72 / 403) for 'xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo' +# BEGIN fix (73 / 410) for 'xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo' ############################################################################### -(>&2 echo "Remediating rule 72/403: 'xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo'") +(>&2 echo "Remediating rule 73/410: 'xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -1998,9 +2031,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo' ############################################################################### -# BEGIN fix (73 / 403) for 'xccdf_org.ssgproject.content_rule_display_login_attempts' +# BEGIN fix (74 / 410) for 'xccdf_org.ssgproject.content_rule_display_login_attempts' ############################################################################### -(>&2 echo "Remediating rule 73/403: 'xccdf_org.ssgproject.content_rule_display_login_attempts'") +(>&2 echo "Remediating rule 74/410: 'xccdf_org.ssgproject.content_rule_display_login_attempts'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -2262,9 +2295,25 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_display_login_attempts' ############################################################################### -# BEGIN fix (74 / 403) for 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' +# BEGIN fix (75 / 410) for 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth' ############################################################################### -(>&2 echo "Remediating rule 74/403: 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir'") +(>&2 echo "Remediating rule 75/410: 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth'") +(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth' IS MISSING!") + +# END fix for 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth' + +############################################################################### +# BEGIN fix (76 / 410) for 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth' +############################################################################### +(>&2 echo "Remediating rule 76/410: 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth'") +(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth' IS MISSING!") + +# END fix for 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth' + +############################################################################### +# BEGIN fix (77 / 410) for 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' +############################################################################### +(>&2 echo "Remediating rule 77/410: 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -2297,9 +2346,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir' ############################################################################### -# BEGIN fix (75 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' +# BEGIN fix (78 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' ############################################################################### -(>&2 echo "Remediating rule 75/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth'") +(>&2 echo "Remediating rule 78/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -2498,9 +2547,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' ############################################################################### -# BEGIN fix (76 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' +# BEGIN fix (79 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' ############################################################################### -(>&2 echo "Remediating rule 76/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth'") +(>&2 echo "Remediating rule 79/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -2699,9 +2748,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' ############################################################################### -# BEGIN fix (77 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' +# BEGIN fix (80 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' ############################################################################### -(>&2 echo "Remediating rule 77/403: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit'") +(>&2 echo "Remediating rule 80/410: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit'") # Remediation is applicable only in certain platforms if grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.2"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; then @@ -2804,9 +2853,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' ############################################################################### -# BEGIN fix (78 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' +# BEGIN fix (81 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' ############################################################################### -(>&2 echo "Remediating rule 78/403: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'") +(>&2 echo "Remediating rule 81/410: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -2918,9 +2967,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' ############################################################################### -# BEGIN fix (79 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' +# BEGIN fix (82 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' ############################################################################### -(>&2 echo "Remediating rule 79/403: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root'") +(>&2 echo "Remediating rule 82/410: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3024,9 +3073,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' ############################################################################### -# BEGIN fix (80 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' +# BEGIN fix (83 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' ############################################################################### -(>&2 echo "Remediating rule 80/403: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir'") +(>&2 echo "Remediating rule 83/410: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3152,9 +3201,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' ############################################################################### -# BEGIN fix (81 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' +# BEGIN fix (84 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' ############################################################################### -(>&2 echo "Remediating rule 81/403: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval'") +(>&2 echo "Remediating rule 84/410: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3266,9 +3315,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' ############################################################################### -# BEGIN fix (82 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' +# BEGIN fix (85 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' ############################################################################### -(>&2 echo "Remediating rule 82/403: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent'") +(>&2 echo "Remediating rule 85/410: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3323,9 +3372,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' ############################################################################### -# BEGIN fix (83 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' +# BEGIN fix (86 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' ############################################################################### -(>&2 echo "Remediating rule 83/403: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'") +(>&2 echo "Remediating rule 86/410: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3437,9 +3486,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' ############################################################################### -# BEGIN fix (84 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' +# BEGIN fix (87 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' ############################################################################### -(>&2 echo "Remediating rule 84/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'") +(>&2 echo "Remediating rule 87/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3479,9 +3528,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' ############################################################################### -# BEGIN fix (85 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck' +# BEGIN fix (88 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck' ############################################################################### -(>&2 echo "Remediating rule 85/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck'") +(>&2 echo "Remediating rule 88/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3521,9 +3570,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck' ############################################################################### -# BEGIN fix (86 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok' +# BEGIN fix (89 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok' ############################################################################### -(>&2 echo "Remediating rule 86/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok'") +(>&2 echo "Remediating rule 89/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3563,9 +3612,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok' ############################################################################### -# BEGIN fix (87 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' +# BEGIN fix (90 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' ############################################################################### -(>&2 echo "Remediating rule 87/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'") +(>&2 echo "Remediating rule 90/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3605,9 +3654,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' ############################################################################### -# BEGIN fix (88 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat' +# BEGIN fix (91 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat' ############################################################################### -(>&2 echo "Remediating rule 88/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat'") +(>&2 echo "Remediating rule 91/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3647,9 +3696,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat' ############################################################################### -# BEGIN fix (89 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat' +# BEGIN fix (92 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat' ############################################################################### -(>&2 echo "Remediating rule 89/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat'") +(>&2 echo "Remediating rule 92/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3689,9 +3738,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat' ############################################################################### -# BEGIN fix (90 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' +# BEGIN fix (93 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' ############################################################################### -(>&2 echo "Remediating rule 90/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'") +(>&2 echo "Remediating rule 93/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3731,9 +3780,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' ############################################################################### -# BEGIN fix (91 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' +# BEGIN fix (94 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' ############################################################################### -(>&2 echo "Remediating rule 91/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'") +(>&2 echo "Remediating rule 94/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3773,9 +3822,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' ############################################################################### -# BEGIN fix (92 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' +# BEGIN fix (95 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' ############################################################################### -(>&2 echo "Remediating rule 92/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'") +(>&2 echo "Remediating rule 95/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3815,9 +3864,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' ############################################################################### -# BEGIN fix (93 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' +# BEGIN fix (96 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' ############################################################################### -(>&2 echo "Remediating rule 93/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth'") +(>&2 echo "Remediating rule 96/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3883,9 +3932,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth' ############################################################################### -# BEGIN fix (94 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth' +# BEGIN fix (97 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth' ############################################################################### -(>&2 echo "Remediating rule 94/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth'") +(>&2 echo "Remediating rule 97/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -3951,9 +4000,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth' ############################################################################### -# BEGIN fix (95 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' +# BEGIN fix (98 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' ############################################################################### -(>&2 echo "Remediating rule 95/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'") +(>&2 echo "Remediating rule 98/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -4079,9 +4128,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' ############################################################################### -# BEGIN fix (96 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' +# BEGIN fix (99 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' ############################################################################### -(>&2 echo "Remediating rule 96/403: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'") +(>&2 echo "Remediating rule 99/410: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -4121,9 +4170,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' ############################################################################### -# BEGIN fix (97 / 403) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs' +# BEGIN fix (100 / 410) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs' ############################################################################### -(>&2 echo "Remediating rule 97/403: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs'") +(>&2 echo "Remediating rule 100/410: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs'") # Remediation is applicable only in certain platforms if rpm --quiet -q shadow-utils; then @@ -4144,9 +4193,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs' ############################################################################### -# BEGIN fix (98 / 403) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth' +# BEGIN fix (101 / 410) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth' ############################################################################### -(>&2 echo "Remediating rule 98/403: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth'") +(>&2 echo "Remediating rule 101/410: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -4211,9 +4260,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth' ############################################################################### -# BEGIN fix (99 / 403) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' +# BEGIN fix (102 / 410) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' ############################################################################### -(>&2 echo "Remediating rule 99/403: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth'") +(>&2 echo "Remediating rule 102/410: 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -4278,9 +4327,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth' ############################################################################### -# BEGIN fix (100 / 403) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs' +# BEGIN fix (103 / 410) for 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs' ############################################################################### -(>&2 echo "Remediating rule 100/403: 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs'") +(>&2 echo "Remediating rule 103/410: 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs'") if [ -e "/etc/login.defs" ] ; then @@ -4301,9 +4350,9 @@ rm "/etc/login.defs.bak" # END fix for 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs' ############################################################################### -# BEGIN fix (101 / 403) for 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled' +# BEGIN fix (104 / 410) for 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled' ############################################################################### -(>&2 echo "Remediating rule 101/403: 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled'") +(>&2 echo "Remediating rule 104/410: 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4328,9 +4377,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled' ############################################################################### -# BEGIN fix (102 / 403) for 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction' +# BEGIN fix (105 / 410) for 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction' ############################################################################### -(>&2 echo "Remediating rule 102/403: 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction'") +(>&2 echo "Remediating rule 105/410: 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q systemd; }; then @@ -4363,9 +4412,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction' ############################################################################### -# BEGIN fix (103 / 403) for 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot' +# BEGIN fix (106 / 410) for 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot' ############################################################################### -(>&2 echo "Remediating rule 103/403: 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot'") +(>&2 echo "Remediating rule 106/410: 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4379,9 +4428,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot' ############################################################################### -# BEGIN fix (104 / 403) for 'xccdf_org.ssgproject.content_rule_logind_session_timeout' +# BEGIN fix (107 / 410) for 'xccdf_org.ssgproject.content_rule_logind_session_timeout' ############################################################################### -(>&2 echo "Remediating rule 104/403: 'xccdf_org.ssgproject.content_rule_logind_session_timeout'") +(>&2 echo "Remediating rule 107/410: 'xccdf_org.ssgproject.content_rule_logind_session_timeout'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; } && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; [[ "$real" != "$expected" ]]; } ) || grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.7"; printf "%s\n%s" "$expected" "$real" | sort -VC; }; }; then @@ -4411,9 +4460,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_logind_session_timeout' ############################################################################### -# BEGIN fix (105 / 403) for 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' +# BEGIN fix (108 / 410) for 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' ############################################################################### -(>&2 echo "Remediating rule 105/403: 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth'") +(>&2 echo "Remediating rule 108/410: 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4436,9 +4485,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' ############################################################################### -# BEGIN fix (106 / 403) for 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' +# BEGIN fix (109 / 410) for 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' ############################################################################### -(>&2 echo "Remediating rule 106/403: 'xccdf_org.ssgproject.content_rule_require_singleuser_auth'") +(>&2 echo "Remediating rule 109/410: 'xccdf_org.ssgproject.content_rule_require_singleuser_auth'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4459,9 +4508,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_require_singleuser_auth' ############################################################################### -# BEGIN fix (107 / 403) for 'xccdf_org.ssgproject.content_rule_package_tmux_installed' +# BEGIN fix (110 / 410) for 'xccdf_org.ssgproject.content_rule_package_tmux_installed' ############################################################################### -(>&2 echo "Remediating rule 107/403: 'xccdf_org.ssgproject.content_rule_package_tmux_installed'") +(>&2 echo "Remediating rule 110/410: 'xccdf_org.ssgproject.content_rule_package_tmux_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4476,9 +4525,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_tmux_installed' ############################################################################### -# BEGIN fix (108 / 403) for 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux' +# BEGIN fix (111 / 410) for 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux' ############################################################################### -(>&2 echo "Remediating rule 108/403: 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux'") +(>&2 echo "Remediating rule 111/410: 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then @@ -4500,9 +4549,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux' ############################################################################### -# BEGIN fix (109 / 403) for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time' +# BEGIN fix (112 / 410) for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time' ############################################################################### -(>&2 echo "Remediating rule 109/403: 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time'") +(>&2 echo "Remediating rule 112/410: 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then @@ -4522,9 +4571,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time' ############################################################################### -# BEGIN fix (110 / 403) for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command' +# BEGIN fix (113 / 410) for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command' ############################################################################### -(>&2 echo "Remediating rule 110/403: 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command'") +(>&2 echo "Remediating rule 113/410: 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then @@ -4544,9 +4593,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command' ############################################################################### -# BEGIN fix (111 / 403) for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding' +# BEGIN fix (114 / 410) for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding' ############################################################################### -(>&2 echo "Remediating rule 111/403: 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding'") +(>&2 echo "Remediating rule 114/410: 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then @@ -4564,9 +4613,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding' ############################################################################### -# BEGIN fix (112 / 403) for 'xccdf_org.ssgproject.content_rule_no_tmux_in_shells' +# BEGIN fix (115 / 410) for 'xccdf_org.ssgproject.content_rule_no_tmux_in_shells' ############################################################################### -(>&2 echo "Remediating rule 112/403: 'xccdf_org.ssgproject.content_rule_no_tmux_in_shells'") +(>&2 echo "Remediating rule 115/410: 'xccdf_org.ssgproject.content_rule_no_tmux_in_shells'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4581,9 +4630,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_no_tmux_in_shells' ############################################################################### -# BEGIN fix (113 / 403) for 'xccdf_org.ssgproject.content_rule_package_opensc_installed' +# BEGIN fix (116 / 410) for 'xccdf_org.ssgproject.content_rule_package_opensc_installed' ############################################################################### -(>&2 echo "Remediating rule 113/403: 'xccdf_org.ssgproject.content_rule_package_opensc_installed'") +(>&2 echo "Remediating rule 116/410: 'xccdf_org.ssgproject.content_rule_package_opensc_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4598,9 +4647,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_opensc_installed' ############################################################################### -# BEGIN fix (114 / 403) for 'xccdf_org.ssgproject.content_rule_install_smartcard_packages' +# BEGIN fix (117 / 410) for 'xccdf_org.ssgproject.content_rule_install_smartcard_packages' ############################################################################### -(>&2 echo "Remediating rule 114/403: 'xccdf_org.ssgproject.content_rule_install_smartcard_packages'") +(>&2 echo "Remediating rule 117/410: 'xccdf_org.ssgproject.content_rule_install_smartcard_packages'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then @@ -4615,25 +4664,25 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_install_smartcard_packages' ############################################################################### -# BEGIN fix (115 / 403) for 'xccdf_org.ssgproject.content_rule_account_unique_id' +# BEGIN fix (118 / 410) for 'xccdf_org.ssgproject.content_rule_account_unique_id' ############################################################################### -(>&2 echo "Remediating rule 115/403: 'xccdf_org.ssgproject.content_rule_account_unique_id'") +(>&2 echo "Remediating rule 118/410: 'xccdf_org.ssgproject.content_rule_account_unique_id'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_account_unique_id' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_account_unique_id' ############################################################################### -# BEGIN fix (116 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_authorized_local_users' +# BEGIN fix (119 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_authorized_local_users' ############################################################################### -(>&2 echo "Remediating rule 116/403: 'xccdf_org.ssgproject.content_rule_accounts_authorized_local_users'") +(>&2 echo "Remediating rule 119/410: 'xccdf_org.ssgproject.content_rule_accounts_authorized_local_users'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_authorized_local_users' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_accounts_authorized_local_users' ############################################################################### -# BEGIN fix (117 / 403) for 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration' +# BEGIN fix (120 / 410) for 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration' ############################################################################### -(>&2 echo "Remediating rule 117/403: 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration'") +(>&2 echo "Remediating rule 120/410: 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration'") # Remediation is applicable only in certain platforms if rpm --quiet -q shadow-utils; then @@ -4669,17 +4718,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration' ############################################################################### -# BEGIN fix (118 / 403) for 'xccdf_org.ssgproject.content_rule_account_temp_expire_date' +# BEGIN fix (121 / 410) for 'xccdf_org.ssgproject.content_rule_account_temp_expire_date' ############################################################################### -(>&2 echo "Remediating rule 118/403: 'xccdf_org.ssgproject.content_rule_account_temp_expire_date'") +(>&2 echo "Remediating rule 121/410: 'xccdf_org.ssgproject.content_rule_account_temp_expire_date'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_account_temp_expire_date' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_account_temp_expire_date' ############################################################################### -# BEGIN fix (119 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs' +# BEGIN fix (122 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs' ############################################################################### -(>&2 echo "Remediating rule 119/403: 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'") +(>&2 echo "Remediating rule 122/410: 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'") # Remediation is applicable only in certain platforms if rpm --quiet -q shadow-utils; then @@ -4699,9 +4748,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs' ############################################################################### -# BEGIN fix (120 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs' +# BEGIN fix (123 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs' ############################################################################### -(>&2 echo "Remediating rule 120/403: 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs'") +(>&2 echo "Remediating rule 123/410: 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs'") # Remediation is applicable only in certain platforms if rpm --quiet -q shadow-utils; then @@ -4721,9 +4770,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs' ############################################################################### -# BEGIN fix (121 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs' +# BEGIN fix (124 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs' ############################################################################### -(>&2 echo "Remediating rule 121/403: 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs'") +(>&2 echo "Remediating rule 124/410: 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs'") # Remediation is applicable only in certain platforms if rpm --quiet -q shadow-utils; then @@ -4744,9 +4793,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs' ############################################################################### -# BEGIN fix (122 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' +# BEGIN fix (125 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' ############################################################################### -(>&2 echo "Remediating rule 122/403: 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing'") +(>&2 echo "Remediating rule 125/410: 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing'") var_accounts_maximum_age_login_defs='60' @@ -4760,9 +4809,9 @@ done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*] # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' ############################################################################### -# BEGIN fix (123 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing' +# BEGIN fix (126 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing' ############################################################################### -(>&2 echo "Remediating rule 123/403: 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing'") +(>&2 echo "Remediating rule 126/410: 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing'") var_accounts_minimum_age_login_defs='1' @@ -4776,17 +4825,17 @@ done < <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*] # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing' ############################################################################### -# BEGIN fix (124 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512' +# BEGIN fix (127 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512' ############################################################################### -(>&2 echo "Remediating rule 124/403: 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512'") +(>&2 echo "Remediating rule 127/410: 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512' ############################################################################### -# BEGIN fix (125 / 403) for 'xccdf_org.ssgproject.content_rule_no_empty_passwords' +# BEGIN fix (128 / 410) for 'xccdf_org.ssgproject.content_rule_no_empty_passwords' ############################################################################### -(>&2 echo "Remediating rule 125/403: 'xccdf_org.ssgproject.content_rule_no_empty_passwords'") +(>&2 echo "Remediating rule 128/410: 'xccdf_org.ssgproject.content_rule_no_empty_passwords'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4828,9 +4877,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_no_empty_passwords' ############################################################################### -# BEGIN fix (126 / 403) for 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' +# BEGIN fix (129 / 410) for 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' ############################################################################### -(>&2 echo "Remediating rule 126/403: 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow'") +(>&2 echo "Remediating rule 129/410: 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -4848,17 +4897,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' ############################################################################### -# BEGIN fix (127 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' +# BEGIN fix (130 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' ############################################################################### -(>&2 echo "Remediating rule 127/403: 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'") +(>&2 echo "Remediating rule 130/410: 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'") awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l # END fix for 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' ############################################################################### -# BEGIN fix (128 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs' +# BEGIN fix (131 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs' ############################################################################### -(>&2 echo "Remediating rule 128/403: 'xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs'") +(>&2 echo "Remediating rule 131/410: 'xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs'") # Remediation is applicable only in certain platforms if rpm --quiet -q shadow-utils; then @@ -4893,9 +4942,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs' ############################################################################### -# BEGIN fix (129 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay' +# BEGIN fix (132 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay' ############################################################################### -(>&2 echo "Remediating rule 129/403: 'xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay'") +(>&2 echo "Remediating rule 132/410: 'xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay'") # Remediation is applicable only in certain platforms if rpm --quiet -q shadow-utils; then @@ -4931,9 +4980,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay' ############################################################################### -# BEGIN fix (130 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions' +# BEGIN fix (133 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions' ############################################################################### -(>&2 echo "Remediating rule 130/403: 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions'") +(>&2 echo "Remediating rule 133/410: 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -4955,9 +5004,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions' ############################################################################### -# BEGIN fix (131 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs' +# BEGIN fix (134 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs' ############################################################################### -(>&2 echo "Remediating rule 131/403: 'xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs'") +(>&2 echo "Remediating rule 134/410: 'xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs'") readarray -t world_writable_files < <(find / -xdev -type f -perm -0002 2> /dev/null) readarray -t interactive_home_dirs < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd) @@ -4974,17 +5023,17 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs' ############################################################################### -# BEGIN fix (132 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only' +# BEGIN fix (135 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only' ############################################################################### -(>&2 echo "Remediating rule 132/403: 'xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only'") +(>&2 echo "Remediating rule 135/410: 'xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only' ############################################################################### -# BEGIN fix (133 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined' +# BEGIN fix (136 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined' ############################################################################### -(>&2 echo "Remediating rule 133/403: 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined'") +(>&2 echo "Remediating rule 136/410: 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined'") for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do # This follows the same logic of evaluation of home directories as used in OVAL. @@ -4996,9 +5045,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined' ############################################################################### -# BEGIN fix (134 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists' +# BEGIN fix (137 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists' ############################################################################### -(>&2 echo "Remediating rule 134/403: 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists'") +(>&2 echo "Remediating rule 137/410: 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists'") for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do mkhomedir_helper $user 0077; @@ -5007,9 +5056,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists' ############################################################################### -# BEGIN fix (135 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership' +# BEGIN fix (138 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership' ############################################################################### -(>&2 echo "Remediating rule 135/403: 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership'") +(>&2 echo "Remediating rule 138/410: 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership'") for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1 }' /etc/passwd); do home_dir=$(getent passwd $user | cut -d: -f6) @@ -5023,9 +5072,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership' ############################################################################### -# BEGIN fix (136 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions' +# BEGIN fix (139 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions' ############################################################################### -(>&2 echo "Remediating rule 136/403: 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions'") +(>&2 echo "Remediating rule 139/410: 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions'") for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do # Only update the permissions when necessary. This will avoid changing the inode timestamp when @@ -5037,18 +5086,18 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions' ############################################################################### -# BEGIN fix (137 / 403) for 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories' +# BEGIN fix (140 / 410) for 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories' ############################################################################### -(>&2 echo "Remediating rule 137/403: 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories'") +(>&2 echo "Remediating rule 140/410: 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories'") awk -F':' '{ if ($3 >= 1000 && $3 != 65534) system("chgrp -f " $4" "$6) }' /etc/passwd # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownership_home_directories' ############################################################################### -# BEGIN fix (138 / 403) for 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files' +# BEGIN fix (141 / 410) for 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files' ############################################################################### -(>&2 echo "Remediating rule 138/403: 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files'") +(>&2 echo "Remediating rule 141/410: 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files'") var_user_initialization_files_regex='^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$' @@ -5074,9 +5123,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_file_permission_user_init_files' ############################################################################### -# BEGIN fix (139 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories' +# BEGIN fix (142 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories' ############################################################################### -(>&2 echo "Remediating rule 139/403: 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories'") +(>&2 echo "Remediating rule 142/410: 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories'") for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do # Only update the permissions when necessary. This will avoid changing the inode timestamp when @@ -5088,9 +5137,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories' ############################################################################### -# BEGIN fix (140 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc' +# BEGIN fix (143 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc' ############################################################################### -(>&2 echo "Remediating rule 140/403: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'") +(>&2 echo "Remediating rule 143/410: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'") # Remediation is applicable only in certain platforms if rpm --quiet -q bash; then @@ -5114,9 +5163,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc' ############################################################################### -# BEGIN fix (141 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc' +# BEGIN fix (144 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc' ############################################################################### -(>&2 echo "Remediating rule 141/403: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc'") +(>&2 echo "Remediating rule 144/410: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc'") var_accounts_user_umask='077' @@ -5130,9 +5179,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc' ############################################################################### -# BEGIN fix (142 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' +# BEGIN fix (145 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' ############################################################################### -(>&2 echo "Remediating rule 142/403: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'") +(>&2 echo "Remediating rule 145/410: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'") # Remediation is applicable only in certain platforms if rpm --quiet -q shadow-utils; then @@ -5168,9 +5217,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' ############################################################################### -# BEGIN fix (143 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile' +# BEGIN fix (146 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile' ############################################################################### -(>&2 echo "Remediating rule 143/403: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile'") +(>&2 echo "Remediating rule 146/410: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile'") var_accounts_user_umask='077' @@ -5188,9 +5237,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile' ############################################################################### -# BEGIN fix (144 / 403) for 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' +# BEGIN fix (147 / 410) for 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' ############################################################################### -(>&2 echo "Remediating rule 144/403: 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users'") +(>&2 echo "Remediating rule 147/410: 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users'") while IFS= read -r dir; do while IFS= read -r -d '' file; do @@ -5203,9 +5252,9 @@ done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd) # END fix for 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' ############################################################################### -# BEGIN fix (145 / 403) for 'xccdf_org.ssgproject.content_rule_package_audit_installed' +# BEGIN fix (148 / 410) for 'xccdf_org.ssgproject.content_rule_package_audit_installed' ############################################################################### -(>&2 echo "Remediating rule 145/403: 'xccdf_org.ssgproject.content_rule_package_audit_installed'") +(>&2 echo "Remediating rule 148/410: 'xccdf_org.ssgproject.content_rule_package_audit_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -5220,9 +5269,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_audit_installed' ############################################################################### -# BEGIN fix (146 / 403) for 'xccdf_org.ssgproject.content_rule_service_auditd_enabled' +# BEGIN fix (149 / 410) for 'xccdf_org.ssgproject.content_rule_service_auditd_enabled' ############################################################################### -(>&2 echo "Remediating rule 146/403: 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'") +(>&2 echo "Remediating rule 149/410: 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q audit; }; then @@ -5238,9 +5287,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_auditd_enabled' ############################################################################### -# BEGIN fix (147 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' +# BEGIN fix (150 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' ############################################################################### -(>&2 echo "Remediating rule 147/403: 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'") +(>&2 echo "Remediating rule 150/410: 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then @@ -5253,9 +5302,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' ############################################################################### -# BEGIN fix (148 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' +# BEGIN fix (151 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' ############################################################################### -(>&2 echo "Remediating rule 148/403: 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument'") +(>&2 echo "Remediating rule 151/410: 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then @@ -5268,9 +5317,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' ############################################################################### -# BEGIN fix (149 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' +# BEGIN fix (152 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' ############################################################################### -(>&2 echo "Remediating rule 149/403: 'xccdf_org.ssgproject.content_rule_audit_rules_immutable'") +(>&2 echo "Remediating rule 152/410: 'xccdf_org.ssgproject.content_rule_audit_rules_immutable'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -5304,9 +5353,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' ############################################################################### -# BEGIN fix (150 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids' +# BEGIN fix (153 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids' ############################################################################### -(>&2 echo "Remediating rule 150/403: 'xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids'") +(>&2 echo "Remediating rule 153/410: 'xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -5334,9 +5383,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids' ############################################################################### -# BEGIN fix (151 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' +# BEGIN fix (154 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' ############################################################################### -(>&2 echo "Remediating rule 151/403: 'xccdf_org.ssgproject.content_rule_audit_rules_media_export'") +(>&2 echo "Remediating rule 154/410: 'xccdf_org.ssgproject.content_rule_audit_rules_media_export'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -5668,9 +5717,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' ############################################################################### -# BEGIN fix (152 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers' +# BEGIN fix (155 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers' ############################################################################### -(>&2 echo "Remediating rule 152/403: 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers'") +(>&2 echo "Remediating rule 155/410: 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -5815,9 +5864,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers' ############################################################################### -# BEGIN fix (153 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d' +# BEGIN fix (156 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d' ############################################################################### -(>&2 echo "Remediating rule 153/403: 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d'") +(>&2 echo "Remediating rule 156/410: 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -5962,9 +6011,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d' ############################################################################### -# BEGIN fix (154 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' +# BEGIN fix (157 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' ############################################################################### -(>&2 echo "Remediating rule 154/403: 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function'") +(>&2 echo "Remediating rule 157/410: 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -6615,9 +6664,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' ############################################################################### -# BEGIN fix (155 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group' +# BEGIN fix (158 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group' ############################################################################### -(>&2 echo "Remediating rule 155/403: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group'") +(>&2 echo "Remediating rule 158/410: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -6763,9 +6812,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group' ############################################################################### -# BEGIN fix (156 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow' +# BEGIN fix (159 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow' ############################################################################### -(>&2 echo "Remediating rule 156/403: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow'") +(>&2 echo "Remediating rule 159/410: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -6911,9 +6960,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow' ############################################################################### -# BEGIN fix (157 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd' +# BEGIN fix (160 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd' ############################################################################### -(>&2 echo "Remediating rule 157/403: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd'") +(>&2 echo "Remediating rule 160/410: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7059,9 +7108,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd' ############################################################################### -# BEGIN fix (158 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd' +# BEGIN fix (161 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd' ############################################################################### -(>&2 echo "Remediating rule 158/403: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd'") +(>&2 echo "Remediating rule 161/410: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7207,9 +7256,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd' ############################################################################### -# BEGIN fix (159 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow' +# BEGIN fix (162 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow' ############################################################################### -(>&2 echo "Remediating rule 159/403: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow'") +(>&2 echo "Remediating rule 162/410: 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7355,9 +7404,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow' ############################################################################### -# BEGIN fix (160 / 403) for 'xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit' +# BEGIN fix (163 / 410) for 'xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit' ############################################################################### -(>&2 echo "Remediating rule 160/403: 'xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit'") +(>&2 echo "Remediating rule 163/410: 'xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7382,9 +7431,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit' ############################################################################### -# BEGIN fix (161 / 403) for 'xccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit' +# BEGIN fix (164 / 410) for 'xccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit' ############################################################################### -(>&2 echo "Remediating rule 161/403: 'xccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit'") +(>&2 echo "Remediating rule 164/410: 'xccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7403,9 +7452,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_directory_ownership_var_log_audit' ############################################################################### -# BEGIN fix (162 / 403) for 'xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit' +# BEGIN fix (165 / 410) for 'xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit' ############################################################################### -(>&2 echo "Remediating rule 162/403: 'xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit'") +(>&2 echo "Remediating rule 165/410: 'xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7425,9 +7474,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit' ############################################################################### -# BEGIN fix (163 / 403) for 'xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit' +# BEGIN fix (166 / 410) for 'xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit' ############################################################################### -(>&2 echo "Remediating rule 163/403: 'xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit'") +(>&2 echo "Remediating rule 166/410: 'xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7456,9 +7505,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit' ############################################################################### -# BEGIN fix (164 / 403) for 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig' +# BEGIN fix (167 / 410) for 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig' ############################################################################### -(>&2 echo "Remediating rule 164/403: 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig'") +(>&2 echo "Remediating rule 167/410: 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7476,9 +7525,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig' ############################################################################### -# BEGIN fix (165 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit' +# BEGIN fix (168 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit' ############################################################################### -(>&2 echo "Remediating rule 165/403: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit'") +(>&2 echo "Remediating rule 168/410: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -7498,9 +7547,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit' ############################################################################### -# BEGIN fix (166 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' +# BEGIN fix (169 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' ############################################################################### -(>&2 echo "Remediating rule 166/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod'") +(>&2 echo "Remediating rule 169/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -7832,9 +7881,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' ############################################################################### -# BEGIN fix (167 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' +# BEGIN fix (170 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' ############################################################################### -(>&2 echo "Remediating rule 167/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown'") +(>&2 echo "Remediating rule 170/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -8166,9 +8215,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' ############################################################################### -# BEGIN fix (168 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' +# BEGIN fix (171 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' ############################################################################### -(>&2 echo "Remediating rule 168/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod'") +(>&2 echo "Remediating rule 171/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -8500,9 +8549,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' ############################################################################### -# BEGIN fix (169 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' +# BEGIN fix (172 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' ############################################################################### -(>&2 echo "Remediating rule 169/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat'") +(>&2 echo "Remediating rule 172/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -8834,9 +8883,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' ############################################################################### -# BEGIN fix (170 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown' +# BEGIN fix (173 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown' ############################################################################### -(>&2 echo "Remediating rule 170/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown'") +(>&2 echo "Remediating rule 173/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -9168,9 +9217,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown' ############################################################################### -# BEGIN fix (171 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat' +# BEGIN fix (174 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat' ############################################################################### -(>&2 echo "Remediating rule 171/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat'") +(>&2 echo "Remediating rule 174/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -9502,9 +9551,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat' ############################################################################### -# BEGIN fix (172 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr' +# BEGIN fix (175 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr' ############################################################################### -(>&2 echo "Remediating rule 172/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr'") +(>&2 echo "Remediating rule 175/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -10155,9 +10204,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr' ############################################################################### -# BEGIN fix (173 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr' +# BEGIN fix (176 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr' ############################################################################### -(>&2 echo "Remediating rule 173/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr'") +(>&2 echo "Remediating rule 176/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -10808,9 +10857,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr' ############################################################################### -# BEGIN fix (174 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown' +# BEGIN fix (177 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown' ############################################################################### -(>&2 echo "Remediating rule 174/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown'") +(>&2 echo "Remediating rule 177/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -11142,9 +11191,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown' ############################################################################### -# BEGIN fix (175 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr' +# BEGIN fix (178 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr' ############################################################################### -(>&2 echo "Remediating rule 175/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr'") +(>&2 echo "Remediating rule 178/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -11795,9 +11844,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr' ############################################################################### -# BEGIN fix (176 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr' +# BEGIN fix (179 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr' ############################################################################### -(>&2 echo "Remediating rule 176/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr'") +(>&2 echo "Remediating rule 179/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -12448,9 +12497,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr' ############################################################################### -# BEGIN fix (177 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr' +# BEGIN fix (180 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr' ############################################################################### -(>&2 echo "Remediating rule 177/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr'") +(>&2 echo "Remediating rule 180/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -13101,9 +13150,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr' ############################################################################### -# BEGIN fix (178 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr' +# BEGIN fix (181 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr' ############################################################################### -(>&2 echo "Remediating rule 178/403: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr'") +(>&2 echo "Remediating rule 181/410: 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -13754,9 +13803,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr' ############################################################################### -# BEGIN fix (179 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl' +# BEGIN fix (182 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl' ############################################################################### -(>&2 echo "Remediating rule 179/403: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl'") +(>&2 echo "Remediating rule 182/410: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -14080,9 +14129,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl' ############################################################################### -# BEGIN fix (180 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl' +# BEGIN fix (183 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl' ############################################################################### -(>&2 echo "Remediating rule 180/403: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl'") +(>&2 echo "Remediating rule 183/410: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -14406,9 +14455,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl' ############################################################################### -# BEGIN fix (181 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon' +# BEGIN fix (184 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon' ############################################################################### -(>&2 echo "Remediating rule 181/403: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon'") +(>&2 echo "Remediating rule 184/410: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -14732,9 +14781,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon' ############################################################################### -# BEGIN fix (182 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage' +# BEGIN fix (185 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage' ############################################################################### -(>&2 echo "Remediating rule 182/403: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage'") +(>&2 echo "Remediating rule 185/410: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -15058,9 +15107,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage' ############################################################################### -# BEGIN fix (183 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles' +# BEGIN fix (186 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles' ############################################################################### -(>&2 echo "Remediating rule 183/403: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles'") +(>&2 echo "Remediating rule 186/410: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -15384,9 +15433,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles' ############################################################################### -# BEGIN fix (184 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool' +# BEGIN fix (187 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool' ############################################################################### -(>&2 echo "Remediating rule 184/403: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool'") +(>&2 echo "Remediating rule 187/410: 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -15710,9 +15759,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool' ############################################################################### -# BEGIN fix (185 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename' +# BEGIN fix (188 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename' ############################################################################### -(>&2 echo "Remediating rule 185/403: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename'") +(>&2 echo "Remediating rule 188/410: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -16043,9 +16092,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename' ############################################################################### -# BEGIN fix (186 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat' +# BEGIN fix (189 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat' ############################################################################### -(>&2 echo "Remediating rule 186/403: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat'") +(>&2 echo "Remediating rule 189/410: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -16376,9 +16425,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat' ############################################################################### -# BEGIN fix (187 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir' +# BEGIN fix (190 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir' ############################################################################### -(>&2 echo "Remediating rule 187/403: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir'") +(>&2 echo "Remediating rule 190/410: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -16709,9 +16758,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir' ############################################################################### -# BEGIN fix (188 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink' +# BEGIN fix (191 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink' ############################################################################### -(>&2 echo "Remediating rule 188/403: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink'") +(>&2 echo "Remediating rule 191/410: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -17042,9 +17091,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink' ############################################################################### -# BEGIN fix (189 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat' +# BEGIN fix (192 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat' ############################################################################### -(>&2 echo "Remediating rule 189/403: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat'") +(>&2 echo "Remediating rule 192/410: 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -17375,9 +17424,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat' ############################################################################### -# BEGIN fix (190 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat' +# BEGIN fix (193 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat' ############################################################################### -(>&2 echo "Remediating rule 190/403: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat'") +(>&2 echo "Remediating rule 193/410: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -18021,9 +18070,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat' ############################################################################### -# BEGIN fix (191 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate' +# BEGIN fix (194 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate' ############################################################################### -(>&2 echo "Remediating rule 191/403: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate'") +(>&2 echo "Remediating rule 194/410: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -18667,9 +18716,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate' ############################################################################### -# BEGIN fix (192 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open' +# BEGIN fix (195 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open' ############################################################################### -(>&2 echo "Remediating rule 192/403: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open'") +(>&2 echo "Remediating rule 195/410: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then @@ -19313,9 +19362,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open' ############################################################################### -# BEGIN fix (193 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at' +# BEGIN fix (196 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at' ############################################################################### -(>&2 echo "Remediating rule 193/403: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at'") +(>&2 echo "Remediating rule 196/410: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -19959,9 +20008,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at' ############################################################################### -# BEGIN fix (194 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat' +# BEGIN fix (197 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat' ############################################################################### -(>&2 echo "Remediating rule 194/403: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat'") +(>&2 echo "Remediating rule 197/410: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -20605,9 +20654,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat' ############################################################################### -# BEGIN fix (195 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate' +# BEGIN fix (198 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate' ############################################################################### -(>&2 echo "Remediating rule 195/403: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate'") +(>&2 echo "Remediating rule 198/410: 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -21251,9 +21300,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate' ############################################################################### -# BEGIN fix (196 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete' +# BEGIN fix (199 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete' ############################################################################### -(>&2 echo "Remediating rule 196/403: 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete'") +(>&2 echo "Remediating rule 199/410: 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -21590,9 +21639,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete' ############################################################################### -# BEGIN fix (197 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit' +# BEGIN fix (200 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit' ############################################################################### -(>&2 echo "Remediating rule 197/403: 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit'") +(>&2 echo "Remediating rule 200/410: 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -21929,9 +21978,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit' ############################################################################### -# BEGIN fix (198 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init' +# BEGIN fix (201 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init' ############################################################################### -(>&2 echo "Remediating rule 198/403: 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init'") +(>&2 echo "Remediating rule 201/410: 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -22268,9 +22317,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init' ############################################################################### -# BEGIN fix (199 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' +# BEGIN fix (202 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' ############################################################################### -(>&2 echo "Remediating rule 199/403: 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock'") +(>&2 echo "Remediating rule 202/410: 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -22419,9 +22468,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' ############################################################################### -# BEGIN fix (200 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog' +# BEGIN fix (203 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog' ############################################################################### -(>&2 echo "Remediating rule 200/403: 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog'") +(>&2 echo "Remediating rule 203/410: 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -22568,9 +22617,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog' ############################################################################### -# BEGIN fix (201 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage' +# BEGIN fix (204 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage' ############################################################################### -(>&2 echo "Remediating rule 201/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage'") +(>&2 echo "Remediating rule 204/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -22894,9 +22943,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage' ############################################################################### -# BEGIN fix (202 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh' +# BEGIN fix (205 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh' ############################################################################### -(>&2 echo "Remediating rule 202/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh'") +(>&2 echo "Remediating rule 205/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -23220,9 +23269,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh' ############################################################################### -# BEGIN fix (203 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab' +# BEGIN fix (206 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab' ############################################################################### -(>&2 echo "Remediating rule 203/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab'") +(>&2 echo "Remediating rule 206/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -23546,9 +23595,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab' ############################################################################### -# BEGIN fix (204 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd' +# BEGIN fix (207 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd' ############################################################################### -(>&2 echo "Remediating rule 204/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd'") +(>&2 echo "Remediating rule 207/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -23872,17 +23921,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd' ############################################################################### -# BEGIN fix (205 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod' +# BEGIN fix (208 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod' ############################################################################### -(>&2 echo "Remediating rule 205/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod'") +(>&2 echo "Remediating rule 208/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod' ############################################################################### -# BEGIN fix (206 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount' +# BEGIN fix (209 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount' ############################################################################### -(>&2 echo "Remediating rule 206/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount'") +(>&2 echo "Remediating rule 209/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -24206,9 +24255,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount' ############################################################################### -# BEGIN fix (207 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp' +# BEGIN fix (210 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp' ############################################################################### -(>&2 echo "Remediating rule 207/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp'") +(>&2 echo "Remediating rule 210/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -24532,9 +24581,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp' ############################################################################### -# BEGIN fix (208 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check' +# BEGIN fix (211 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check' ############################################################################### -(>&2 echo "Remediating rule 208/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check'") +(>&2 echo "Remediating rule 211/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -24858,9 +24907,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check' ############################################################################### -# BEGIN fix (209 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd' +# BEGIN fix (212 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd' ############################################################################### -(>&2 echo "Remediating rule 209/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd'") +(>&2 echo "Remediating rule 212/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -25184,9 +25233,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd' ############################################################################### -# BEGIN fix (210 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop' +# BEGIN fix (213 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop' ############################################################################### -(>&2 echo "Remediating rule 210/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop'") +(>&2 echo "Remediating rule 213/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -25510,9 +25559,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop' ############################################################################### -# BEGIN fix (211 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue' +# BEGIN fix (214 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue' ############################################################################### -(>&2 echo "Remediating rule 211/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue'") +(>&2 echo "Remediating rule 214/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -25836,9 +25885,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue' ############################################################################### -# BEGIN fix (212 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent' +# BEGIN fix (215 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent' ############################################################################### -(>&2 echo "Remediating rule 212/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent'") +(>&2 echo "Remediating rule 215/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -26162,9 +26211,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent' ############################################################################### -# BEGIN fix (213 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign' +# BEGIN fix (216 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign' ############################################################################### -(>&2 echo "Remediating rule 213/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign'") +(>&2 echo "Remediating rule 216/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -26488,9 +26537,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign' ############################################################################### -# BEGIN fix (214 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su' +# BEGIN fix (217 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su' ############################################################################### -(>&2 echo "Remediating rule 214/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su'") +(>&2 echo "Remediating rule 217/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -26814,9 +26863,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su' ############################################################################### -# BEGIN fix (215 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo' +# BEGIN fix (218 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo' ############################################################################### -(>&2 echo "Remediating rule 215/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo'") +(>&2 echo "Remediating rule 218/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -27140,9 +27189,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo' ############################################################################### -# BEGIN fix (216 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount' +# BEGIN fix (219 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount' ############################################################################### -(>&2 echo "Remediating rule 216/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount'") +(>&2 echo "Remediating rule 219/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -27466,9 +27515,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount' ############################################################################### -# BEGIN fix (217 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd' +# BEGIN fix (220 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd' ############################################################################### -(>&2 echo "Remediating rule 217/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd'") +(>&2 echo "Remediating rule 220/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -27792,9 +27841,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd' ############################################################################### -# BEGIN fix (218 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update' +# BEGIN fix (221 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update' ############################################################################### -(>&2 echo "Remediating rule 218/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update'") +(>&2 echo "Remediating rule 221/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28118,9 +28167,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update' ############################################################################### -# BEGIN fix (219 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper' +# BEGIN fix (222 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper' ############################################################################### -(>&2 echo "Remediating rule 219/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper'") +(>&2 echo "Remediating rule 222/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28444,9 +28493,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper' ############################################################################### -# BEGIN fix (220 / 403) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod' +# BEGIN fix (223 / 410) for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod' ############################################################################### -(>&2 echo "Remediating rule 220/403: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod'") +(>&2 echo "Remediating rule 223/410: 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28770,17 +28819,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod' ############################################################################### -# BEGIN fix (221 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition' +# BEGIN fix (224 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition' ############################################################################### -(>&2 echo "Remediating rule 221/403: 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition'") +(>&2 echo "Remediating rule 224/410: 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition' ############################################################################### -# BEGIN fix (222 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action' +# BEGIN fix (225 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action' ############################################################################### -(>&2 echo "Remediating rule 222/403: 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action'") +(>&2 echo "Remediating rule 225/410: 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28823,9 +28872,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action' ############################################################################### -# BEGIN fix (223 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action' +# BEGIN fix (226 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action' ############################################################################### -(>&2 echo "Remediating rule 223/403: 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action'") +(>&2 echo "Remediating rule 226/410: 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28863,9 +28912,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action' ############################################################################### -# BEGIN fix (224 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct' +# BEGIN fix (227 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct' ############################################################################### -(>&2 echo "Remediating rule 224/403: 'xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct'") +(>&2 echo "Remediating rule 227/410: 'xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28903,9 +28952,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct' ############################################################################### -# BEGIN fix (225 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action' +# BEGIN fix (228 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action' ############################################################################### -(>&2 echo "Remediating rule 225/403: 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action'") +(>&2 echo "Remediating rule 228/410: 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28949,9 +28998,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action' ############################################################################### -# BEGIN fix (226 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage' +# BEGIN fix (229 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage' ############################################################################### -(>&2 echo "Remediating rule 226/403: 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage'") +(>&2 echo "Remediating rule 229/410: 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28969,9 +29018,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage' ############################################################################### -# BEGIN fix (227 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_local_events' +# BEGIN fix (230 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_local_events' ############################################################################### -(>&2 echo "Remediating rule 227/403: 'xccdf_org.ssgproject.content_rule_auditd_local_events'") +(>&2 echo "Remediating rule 230/410: 'xccdf_org.ssgproject.content_rule_auditd_local_events'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -28997,9 +29046,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_local_events' ############################################################################### -# BEGIN fix (228 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_log_format' +# BEGIN fix (231 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_log_format' ############################################################################### -(>&2 echo "Remediating rule 228/403: 'xccdf_org.ssgproject.content_rule_auditd_log_format'") +(>&2 echo "Remediating rule 231/410: 'xccdf_org.ssgproject.content_rule_auditd_log_format'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -29025,9 +29074,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_log_format' ############################################################################### -# BEGIN fix (229 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_name_format' +# BEGIN fix (232 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_name_format' ############################################################################### -(>&2 echo "Remediating rule 229/403: 'xccdf_org.ssgproject.content_rule_auditd_name_format'") +(>&2 echo "Remediating rule 232/410: 'xccdf_org.ssgproject.content_rule_auditd_name_format'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -29058,9 +29107,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_name_format' ############################################################################### -# BEGIN fix (230 / 403) for 'xccdf_org.ssgproject.content_rule_auditd_overflow_action' +# BEGIN fix (233 / 410) for 'xccdf_org.ssgproject.content_rule_auditd_overflow_action' ############################################################################### -(>&2 echo "Remediating rule 230/403: 'xccdf_org.ssgproject.content_rule_auditd_overflow_action'") +(>&2 echo "Remediating rule 233/410: 'xccdf_org.ssgproject.content_rule_auditd_overflow_action'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then @@ -29086,9 +29135,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_auditd_overflow_action' ############################################################################### -# BEGIN fix (231 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' +# BEGIN fix (234 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' ############################################################################### -(>&2 echo "Remediating rule 231/403: 'xccdf_org.ssgproject.content_rule_grub2_pti_argument'") +(>&2 echo "Remediating rule 234/410: 'xccdf_org.ssgproject.content_rule_grub2_pti_argument'") # Remediation is applicable only in certain platforms if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -29101,9 +29150,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' ############################################################################### -# BEGIN fix (232 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' +# BEGIN fix (235 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' ############################################################################### -(>&2 echo "Remediating rule 232/403: 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument'") +(>&2 echo "Remediating rule 235/410: 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument'") # Remediation is applicable only in certain platforms if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -29116,41 +29165,41 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' ############################################################################### -# BEGIN fix (233 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_admin_username' +# BEGIN fix (236 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_admin_username' ############################################################################### -(>&2 echo "Remediating rule 233/403: 'xccdf_org.ssgproject.content_rule_grub2_admin_username'") +(>&2 echo "Remediating rule 236/410: 'xccdf_org.ssgproject.content_rule_grub2_admin_username'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_grub2_admin_username' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_grub2_admin_username' ############################################################################### -# BEGIN fix (234 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_password' +# BEGIN fix (237 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_password' ############################################################################### -(>&2 echo "Remediating rule 234/403: 'xccdf_org.ssgproject.content_rule_grub2_password'") +(>&2 echo "Remediating rule 237/410: 'xccdf_org.ssgproject.content_rule_grub2_password'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_grub2_password' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_grub2_password' ############################################################################### -# BEGIN fix (235 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username' +# BEGIN fix (238 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username' ############################################################################### -(>&2 echo "Remediating rule 235/403: 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username'") +(>&2 echo "Remediating rule 238/410: 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username' ############################################################################### -# BEGIN fix (236 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_uefi_password' +# BEGIN fix (239 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_uefi_password' ############################################################################### -(>&2 echo "Remediating rule 236/403: 'xccdf_org.ssgproject.content_rule_grub2_uefi_password'") +(>&2 echo "Remediating rule 239/410: 'xccdf_org.ssgproject.content_rule_grub2_uefi_password'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_grub2_uefi_password' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_grub2_uefi_password' ############################################################################### -# BEGIN fix (237 / 403) for 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed' +# BEGIN fix (240 / 410) for 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed' ############################################################################### -(>&2 echo "Remediating rule 237/403: 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed'") +(>&2 echo "Remediating rule 240/410: 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29165,9 +29214,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed' ############################################################################### -# BEGIN fix (238 / 403) for 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed' +# BEGIN fix (241 / 410) for 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed' ############################################################################### -(>&2 echo "Remediating rule 238/403: 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed'") +(>&2 echo "Remediating rule 241/410: 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29182,9 +29231,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed' ############################################################################### -# BEGIN fix (239 / 403) for 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled' +# BEGIN fix (242 / 410) for 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled' ############################################################################### -(>&2 echo "Remediating rule 239/403: 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled'") +(>&2 echo "Remediating rule 242/410: 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29200,9 +29249,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled' ############################################################################### -# BEGIN fix (240 / 403) for 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' +# BEGIN fix (243 / 410) for 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' ############################################################################### -(>&2 echo "Remediating rule 240/403: 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging'") +(>&2 echo "Remediating rule 243/410: 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29220,9 +29269,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' ############################################################################### -# BEGIN fix (241 / 403) for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' +# BEGIN fix (244 / 410) for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' ############################################################################### -(>&2 echo "Remediating rule 241/403: 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode'") +(>&2 echo "Remediating rule 244/410: 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29250,9 +29299,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' ############################################################################### -# BEGIN fix (242 / 403) for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' +# BEGIN fix (245 / 410) for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' ############################################################################### -(>&2 echo "Remediating rule 242/403: 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode'") +(>&2 echo "Remediating rule 245/410: 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29278,9 +29327,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' ############################################################################### -# BEGIN fix (243 / 403) for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' +# BEGIN fix (246 / 410) for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' ############################################################################### -(>&2 echo "Remediating rule 243/403: 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver'") +(>&2 echo "Remediating rule 246/410: 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29306,9 +29355,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' ############################################################################### -# BEGIN fix (244 / 403) for 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring' +# BEGIN fix (247 / 410) for 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring' ############################################################################### -(>&2 echo "Remediating rule 244/403: 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring'") +(>&2 echo "Remediating rule 247/410: 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29343,9 +29392,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring' ############################################################################### -# BEGIN fix (245 / 403) for 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost' +# BEGIN fix (248 / 410) for 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost' ############################################################################### -(>&2 echo "Remediating rule 245/403: 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost'") +(>&2 echo "Remediating rule 248/410: 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29381,17 +29430,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost' ############################################################################### -# BEGIN fix (246 / 403) for 'xccdf_org.ssgproject.content_rule_network_configure_name_resolution' +# BEGIN fix (249 / 410) for 'xccdf_org.ssgproject.content_rule_network_configure_name_resolution' ############################################################################### -(>&2 echo "Remediating rule 246/403: 'xccdf_org.ssgproject.content_rule_network_configure_name_resolution'") +(>&2 echo "Remediating rule 249/410: 'xccdf_org.ssgproject.content_rule_network_configure_name_resolution'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_network_configure_name_resolution' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_network_configure_name_resolution' ############################################################################### -# BEGIN fix (247 / 403) for 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled' +# BEGIN fix (250 / 410) for 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled' ############################################################################### -(>&2 echo "Remediating rule 247/403: 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled'") +(>&2 echo "Remediating rule 250/410: 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29406,9 +29455,46 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_network_sniffer_disabled' ############################################################################### -# BEGIN fix (248 / 403) for 'xccdf_org.ssgproject.content_rule_package_firewalld_installed' +# BEGIN fix (251 / 410) for 'xccdf_org.ssgproject.content_rule_firewalld-backend' ############################################################################### -(>&2 echo "Remediating rule 248/403: 'xccdf_org.ssgproject.content_rule_package_firewalld_installed'") +(>&2 echo "Remediating rule 251/410: 'xccdf_org.ssgproject.content_rule_firewalld-backend'") +# Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then + +if [ -e "/etc/firewalld/firewalld.conf" ] ; then + + LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf" +else + touch "/etc/firewalld/firewalld.conf" +fi +# make sure file has newline at the end +sed -i -e '$a\' "/etc/firewalld/firewalld.conf" + +cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak" +# Insert before the line matching the regex '^#\s*FirewallBackend'. +line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^#\s*FirewallBackend', insert at + # the end of the file. + printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" +else + head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf" + printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf" + tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf" +fi +# Clean up after ourselves. +rm "/etc/firewalld/firewalld.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + +# END fix for 'xccdf_org.ssgproject.content_rule_firewalld-backend' + +############################################################################### +# BEGIN fix (252 / 410) for 'xccdf_org.ssgproject.content_rule_package_firewalld_installed' +############################################################################### +(>&2 echo "Remediating rule 252/410: 'xccdf_org.ssgproject.content_rule_package_firewalld_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29423,9 +29509,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_firewalld_installed' ############################################################################### -# BEGIN fix (249 / 403) for 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled' +# BEGIN fix (253 / 410) for 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled' ############################################################################### -(>&2 echo "Remediating rule 249/403: 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled'") +(>&2 echo "Remediating rule 253/410: 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q firewalld; }; then @@ -29441,17 +29527,33 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled' ############################################################################### -# BEGIN fix (250 / 403) for 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports' +# BEGIN fix (254 / 410) for 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports' ############################################################################### -(>&2 echo "Remediating rule 250/403: 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports'") +(>&2 echo "Remediating rule 254/410: 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports' ############################################################################### -# BEGIN fix (251 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' +# BEGIN fix (255 / 410) for 'xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny' +############################################################################### +(>&2 echo "Remediating rule 255/410: 'xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny'") +(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny' IS MISSING!") + +# END fix for 'xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny' + +############################################################################### +# BEGIN fix (256 / 410) for 'xccdf_org.ssgproject.content_rule_set_firewalld_default_zone' ############################################################################### -(>&2 echo "Remediating rule 251/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra'") +(>&2 echo "Remediating rule 256/410: 'xccdf_org.ssgproject.content_rule_set_firewalld_default_zone'") +(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_set_firewalld_default_zone' IS MISSING!") + +# END fix for 'xccdf_org.ssgproject.content_rule_set_firewalld_default_zone' + +############################################################################### +# BEGIN fix (257 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' +############################################################################### +(>&2 echo "Remediating rule 257/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29517,9 +29619,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' ############################################################################### -# BEGIN fix (252 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' +# BEGIN fix (258 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' ############################################################################### -(>&2 echo "Remediating rule 252/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects'") +(>&2 echo "Remediating rule 258/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29585,9 +29687,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' ############################################################################### -# BEGIN fix (253 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' +# BEGIN fix (259 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' ############################################################################### -(>&2 echo "Remediating rule 253/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route'") +(>&2 echo "Remediating rule 259/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29653,9 +29755,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' ############################################################################### -# BEGIN fix (254 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' +# BEGIN fix (260 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' ############################################################################### -(>&2 echo "Remediating rule 254/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding'") +(>&2 echo "Remediating rule 260/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29721,9 +29823,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' ############################################################################### -# BEGIN fix (255 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' +# BEGIN fix (261 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' ############################################################################### -(>&2 echo "Remediating rule 255/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra'") +(>&2 echo "Remediating rule 261/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29789,9 +29891,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' ############################################################################### -# BEGIN fix (256 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' +# BEGIN fix (262 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' ############################################################################### -(>&2 echo "Remediating rule 256/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects'") +(>&2 echo "Remediating rule 262/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29857,9 +29959,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' ############################################################################### -# BEGIN fix (257 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' +# BEGIN fix (263 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' ############################################################################### -(>&2 echo "Remediating rule 257/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route'") +(>&2 echo "Remediating rule 263/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29925,9 +30027,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' ############################################################################### -# BEGIN fix (258 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' +# BEGIN fix (264 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' ############################################################################### -(>&2 echo "Remediating rule 258/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects'") +(>&2 echo "Remediating rule 264/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -29993,9 +30095,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' ############################################################################### -# BEGIN fix (259 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' +# BEGIN fix (265 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' ############################################################################### -(>&2 echo "Remediating rule 259/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route'") +(>&2 echo "Remediating rule 265/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30061,9 +30163,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' ############################################################################### -# BEGIN fix (260 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding' +# BEGIN fix (266 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding' ############################################################################### -(>&2 echo "Remediating rule 260/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding'") +(>&2 echo "Remediating rule 266/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30129,9 +30231,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding' ############################################################################### -# BEGIN fix (261 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' +# BEGIN fix (267 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' ############################################################################### -(>&2 echo "Remediating rule 261/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter'") +(>&2 echo "Remediating rule 267/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30197,9 +30299,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' ############################################################################### -# BEGIN fix (262 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' +# BEGIN fix (268 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' ############################################################################### -(>&2 echo "Remediating rule 262/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects'") +(>&2 echo "Remediating rule 268/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30265,9 +30367,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' ############################################################################### -# BEGIN fix (263 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' +# BEGIN fix (269 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' ############################################################################### -(>&2 echo "Remediating rule 263/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route'") +(>&2 echo "Remediating rule 269/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30333,9 +30435,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' ############################################################################### -# BEGIN fix (264 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' +# BEGIN fix (270 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' ############################################################################### -(>&2 echo "Remediating rule 264/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts'") +(>&2 echo "Remediating rule 270/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30401,9 +30503,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' ############################################################################### -# BEGIN fix (265 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' +# BEGIN fix (271 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' ############################################################################### -(>&2 echo "Remediating rule 265/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects'") +(>&2 echo "Remediating rule 271/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30467,9 +30569,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' ############################################################################### -# BEGIN fix (266 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' +# BEGIN fix (272 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' ############################################################################### -(>&2 echo "Remediating rule 266/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects'") +(>&2 echo "Remediating rule 272/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30533,9 +30635,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' ############################################################################### -# BEGIN fix (267 / 403) for 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' +# BEGIN fix (273 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' ############################################################################### -(>&2 echo "Remediating rule 267/403: 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled'") +(>&2 echo "Remediating rule 273/410: 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30558,9 +30660,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' ############################################################################### -# BEGIN fix (268 / 403) for 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' +# BEGIN fix (274 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' ############################################################################### -(>&2 echo "Remediating rule 268/403: 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled'") +(>&2 echo "Remediating rule 274/410: 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30583,9 +30685,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' ############################################################################### -# BEGIN fix (269 / 403) for 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' +# BEGIN fix (275 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' ############################################################################### -(>&2 echo "Remediating rule 269/403: 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled'") +(>&2 echo "Remediating rule 275/410: 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30608,9 +30710,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' ############################################################################### -# BEGIN fix (270 / 403) for 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' +# BEGIN fix (276 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' ############################################################################### -(>&2 echo "Remediating rule 270/403: 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled'") +(>&2 echo "Remediating rule 276/410: 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30633,9 +30735,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' ############################################################################### -# BEGIN fix (271 / 403) for 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' +# BEGIN fix (277 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' ############################################################################### -(>&2 echo "Remediating rule 271/403: 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled'") +(>&2 echo "Remediating rule 277/410: 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30658,9 +30760,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' ############################################################################### -# BEGIN fix (272 / 403) for 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' +# BEGIN fix (278 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' ############################################################################### -(>&2 echo "Remediating rule 272/403: 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled'") +(>&2 echo "Remediating rule 278/410: 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30683,9 +30785,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' ############################################################################### -# BEGIN fix (273 / 403) for 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces' +# BEGIN fix (279 / 410) for 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces' ############################################################################### -(>&2 echo "Remediating rule 273/403: 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces'") +(>&2 echo "Remediating rule 279/410: 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces'") if ! rpm -q --quiet "NetworkManager" ; then yum install -y "NetworkManager" @@ -30696,9 +30798,9 @@ nmcli radio all off # END fix for 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces' ############################################################################### -# BEGIN fix (274 / 403) for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned' +# BEGIN fix (280 / 410) for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned' ############################################################################### -(>&2 echo "Remediating rule 274/403: 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned'") +(>&2 echo "Remediating rule 280/410: 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned'") # At least under containerized env /proc can have files w/o possilibity to # modify even as root. And touching /proc is not good idea anyways. @@ -30712,9 +30814,9 @@ find / -path /proc -prune -o \ # END fix for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned' ############################################################################### -# BEGIN fix (275 / 403) for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits' +# BEGIN fix (281 / 410) for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits' ############################################################################### -(>&2 echo "Remediating rule 275/403: 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits'") +(>&2 echo "Remediating rule 281/410: 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits'") df --local -P | awk '{if (NR!=1) print $6}' \ | xargs -I '$6' find '$6' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ @@ -30723,17 +30825,17 @@ df --local -P | awk '{if (NR!=1) print $6}' \ # END fix for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits' ############################################################################### -# BEGIN fix (276 / 403) for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group' +# BEGIN fix (282 / 410) for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group' ############################################################################### -(>&2 echo "Remediating rule 276/403: 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group'") +(>&2 echo "Remediating rule 282/410: 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group' ############################################################################### -# BEGIN fix (277 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd' +# BEGIN fix (283 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd' ############################################################################### -(>&2 echo "Remediating rule 277/403: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd'") +(>&2 echo "Remediating rule 283/410: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd'") @@ -30744,9 +30846,9 @@ chmod u-xs,g-xws,o-xwrt /etc/audit/auditd.conf # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd' ############################################################################### -# BEGIN fix (278 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' +# BEGIN fix (284 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' ############################################################################### -(>&2 echo "Remediating rule 278/403: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd'") +(>&2 echo "Remediating rule 284/410: 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd'") @@ -30757,25 +30859,25 @@ find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' ############################################################################### -# BEGIN fix (279 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' +# BEGIN fix (285 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' ############################################################################### -(>&2 echo "Remediating rule 279/403: 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned'") +(>&2 echo "Remediating rule 285/410: 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned' ############################################################################### -# BEGIN fix (280 / 403) for 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' +# BEGIN fix (286 / 410) for 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' ############################################################################### -(>&2 echo "Remediating rule 280/403: 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user'") +(>&2 echo "Remediating rule 286/410: 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user' ############################################################################### -# BEGIN fix (281 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks' +# BEGIN fix (287 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks' ############################################################################### -(>&2 echo "Remediating rule 281/403: 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks'") +(>&2 echo "Remediating rule 287/410: 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30839,9 +30941,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks' ############################################################################### -# BEGIN fix (282 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks' +# BEGIN fix (288 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks' ############################################################################### -(>&2 echo "Remediating rule 282/403: 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks'") +(>&2 echo "Remediating rule 288/410: 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -30905,41 +31007,41 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks' ############################################################################### -# BEGIN fix (283 / 403) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log' +# BEGIN fix (289 / 410) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log' ############################################################################### -(>&2 echo "Remediating rule 283/403: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log'") +(>&2 echo "Remediating rule 289/410: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log'") find -H /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log' ############################################################################### -# BEGIN fix (284 / 403) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages' +# BEGIN fix (290 / 410) for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages' ############################################################################### -(>&2 echo "Remediating rule 284/403: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages'") +(>&2 echo "Remediating rule 290/410: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages'") chgrp 0 /var/log/messages # END fix for 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages' ############################################################################### -# BEGIN fix (285 / 403) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log' +# BEGIN fix (291 / 410) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log' ############################################################################### -(>&2 echo "Remediating rule 285/403: 'xccdf_org.ssgproject.content_rule_file_owner_var_log'") +(>&2 echo "Remediating rule 291/410: 'xccdf_org.ssgproject.content_rule_file_owner_var_log'") find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log' ############################################################################### -# BEGIN fix (286 / 403) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages' +# BEGIN fix (292 / 410) for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages' ############################################################################### -(>&2 echo "Remediating rule 286/403: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages'") +(>&2 echo "Remediating rule 292/410: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages'") chown 0 /var/log/messages # END fix for 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages' ############################################################################### -# BEGIN fix (287 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log' +# BEGIN fix (293 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log' ############################################################################### -(>&2 echo "Remediating rule 287/403: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log'") +(>&2 echo "Remediating rule 293/410: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log'") @@ -30950,9 +31052,9 @@ find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws, # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log' ############################################################################### -# BEGIN fix (288 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' +# BEGIN fix (294 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' ############################################################################### -(>&2 echo "Remediating rule 288/403: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages'") +(>&2 echo "Remediating rule 294/410: 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages'") @@ -30963,9 +31065,9 @@ chmod u-xs,g-xws,o-xwrt /var/log/messages # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' ############################################################################### -# BEGIN fix (289 / 403) for 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs' +# BEGIN fix (295 / 410) for 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs' ############################################################################### -(>&2 echo "Remediating rule 289/403: 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs'") +(>&2 echo "Remediating rule 295/410: 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs'") find -H /lib/ -type d -exec chgrp 0 {} \; find -H /lib64/ -type d -exec chgrp 0 {} \; find -H /usr/lib/ -type d -exec chgrp 0 {} \; @@ -30974,9 +31076,9 @@ find -H /usr/lib64/ -type d -exec chgrp 0 {} \; # END fix for 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs' ############################################################################### -# BEGIN fix (290 / 403) for 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' +# BEGIN fix (296 / 410) for 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' ############################################################################### -(>&2 echo "Remediating rule 290/403: 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs'") +(>&2 echo "Remediating rule 296/410: 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs'") find -H /lib/ -type d -exec chown 0 {} \; find -H /lib64/ -type d -exec chown 0 {} \; find -H /usr/lib/ -type d -exec chown 0 {} \; @@ -30985,9 +31087,9 @@ find -H /usr/lib64/ -type d -exec chown 0 {} \; # END fix for 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' ############################################################################### -# BEGIN fix (291 / 403) for 'xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs' +# BEGIN fix (297 / 410) for 'xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs' ############################################################################### -(>&2 echo "Remediating rule 291/403: 'xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs'") +(>&2 echo "Remediating rule 297/410: 'xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs'") @@ -31004,9 +31106,9 @@ find -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \; # END fix for 'xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs' ############################################################################### -# BEGIN fix (292 / 403) for 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs' +# BEGIN fix (298 / 410) for 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs' ############################################################################### -(>&2 echo "Remediating rule 292/403: 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs'") +(>&2 echo "Remediating rule 298/410: 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs'") for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin do @@ -31016,9 +31118,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs' ############################################################################### -# BEGIN fix (293 / 403) for 'xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs' +# BEGIN fix (299 / 410) for 'xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs' ############################################################################### -(>&2 echo "Remediating rule 293/403: 'xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs'") +(>&2 echo "Remediating rule 299/410: 'xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs'") find /bin/ \ /usr/bin/ \ /usr/local/bin/ \ @@ -31031,9 +31133,9 @@ find /bin/ \ # END fix for 'xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs' ############################################################################### -# BEGIN fix (294 / 403) for 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' +# BEGIN fix (300 / 410) for 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' ############################################################################### -(>&2 echo "Remediating rule 294/403: 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs'") +(>&2 echo "Remediating rule 300/410: 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs'") find /lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; @@ -31046,9 +31148,9 @@ find /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \; # END fix for 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' ############################################################################### -# BEGIN fix (295 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs' +# BEGIN fix (301 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs' ############################################################################### -(>&2 echo "Remediating rule 295/403: 'xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs'") +(>&2 echo "Remediating rule 301/410: 'xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs'") DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" for dirPath in $DIRS; do find "$dirPath" -perm /022 -exec chmod go-w '{}' \; @@ -31057,9 +31159,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs' ############################################################################### -# BEGIN fix (296 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' +# BEGIN fix (302 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' ############################################################################### -(>&2 echo "Remediating rule 296/403: 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs'") +(>&2 echo "Remediating rule 302/410: 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs'") @@ -31076,9 +31178,9 @@ find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w { # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' ############################################################################### -# BEGIN fix (297 / 403) for 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' +# BEGIN fix (303 / 410) for 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' ############################################################################### -(>&2 echo "Remediating rule 297/403: 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files'") +(>&2 echo "Remediating rule 303/410: 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files'") find /lib/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; @@ -31091,9 +31193,9 @@ find /usr/lib64/ -type f ! -group 0 -regex '^.*$' -exec chgrp 0 {} \; # END fix for 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' ############################################################################### -# BEGIN fix (298 / 403) for 'xccdf_org.ssgproject.content_rule_service_autofs_disabled' +# BEGIN fix (304 / 410) for 'xccdf_org.ssgproject.content_rule_service_autofs_disabled' ############################################################################### -(>&2 echo "Remediating rule 298/403: 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'") +(>&2 echo "Remediating rule 304/410: 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31118,9 +31220,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_autofs_disabled' ############################################################################### -# BEGIN fix (299 / 403) for 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled' +# BEGIN fix (305 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled' ############################################################################### -(>&2 echo "Remediating rule 299/403: 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled'") +(>&2 echo "Remediating rule 305/410: 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31143,9 +31245,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled' ############################################################################### -# BEGIN fix (300 / 403) for 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled' +# BEGIN fix (306 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled' ############################################################################### -(>&2 echo "Remediating rule 300/403: 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled'") +(>&2 echo "Remediating rule 306/410: 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31168,9 +31270,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled' ############################################################################### -# BEGIN fix (301 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' +# BEGIN fix (307 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' ############################################################################### -(>&2 echo "Remediating rule 301/403: 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid'") +(>&2 echo "Remediating rule 307/410: 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && [ -d /sys/firmware/efi ] ); then @@ -31222,9 +31324,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' ############################################################################### -# BEGIN fix (302 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' +# BEGIN fix (308 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' ############################################################################### -(>&2 echo "Remediating rule 302/403: 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid'") +(>&2 echo "Remediating rule 308/410: 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31276,9 +31378,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid' ############################################################################### -# BEGIN fix (303 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' +# BEGIN fix (309 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' ############################################################################### -(>&2 echo "Remediating rule 303/403: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev'") +(>&2 echo "Remediating rule 309/410: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31324,9 +31426,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev' ############################################################################### -# BEGIN fix (304 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' +# BEGIN fix (310 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' ############################################################################### -(>&2 echo "Remediating rule 304/403: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec'") +(>&2 echo "Remediating rule 310/410: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31372,9 +31474,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec' ############################################################################### -# BEGIN fix (305 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' +# BEGIN fix (311 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' ############################################################################### -(>&2 echo "Remediating rule 305/403: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid'") +(>&2 echo "Remediating rule 311/410: 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31420,9 +31522,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid' ############################################################################### -# BEGIN fix (306 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' +# BEGIN fix (312 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' ############################################################################### -(>&2 echo "Remediating rule 306/403: 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec'") +(>&2 echo "Remediating rule 312/410: 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31474,9 +31576,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_home_noexec' ############################################################################### -# BEGIN fix (307 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' +# BEGIN fix (313 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' ############################################################################### -(>&2 echo "Remediating rule 307/403: 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid'") +(>&2 echo "Remediating rule 313/410: 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null ); then @@ -31528,9 +31630,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_home_nosuid' ############################################################################### -# BEGIN fix (308 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' +# BEGIN fix (314 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' ############################################################################### -(>&2 echo "Remediating rule 308/403: 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions'") +(>&2 echo "Remediating rule 314/410: 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31585,9 +31687,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' ############################################################################### -# BEGIN fix (309 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions' +# BEGIN fix (315 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions' ############################################################################### -(>&2 echo "Remediating rule 309/403: 'xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions'") +(>&2 echo "Remediating rule 315/410: 'xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31611,9 +31713,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions' ############################################################################### -# BEGIN fix (310 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions' +# BEGIN fix (316 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions' ############################################################################### -(>&2 echo "Remediating rule 310/403: 'xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions'") +(>&2 echo "Remediating rule 316/410: 'xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31637,9 +31739,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions' ############################################################################### -# BEGIN fix (311 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions' +# BEGIN fix (317 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions' ############################################################################### -(>&2 echo "Remediating rule 311/403: 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions'") +(>&2 echo "Remediating rule 317/410: 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -31663,9 +31765,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions' ############################################################################### -# BEGIN fix (312 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' +# BEGIN fix (318 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' ############################################################################### -(>&2 echo "Remediating rule 312/403: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev'") +(>&2 echo "Remediating rule 318/410: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then @@ -31717,9 +31819,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev' ############################################################################### -# BEGIN fix (313 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' +# BEGIN fix (319 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' ############################################################################### -(>&2 echo "Remediating rule 313/403: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec'") +(>&2 echo "Remediating rule 319/410: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then @@ -31771,9 +31873,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec' ############################################################################### -# BEGIN fix (314 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' +# BEGIN fix (320 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' ############################################################################### -(>&2 echo "Remediating rule 314/403: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid'") +(>&2 echo "Remediating rule 320/410: 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null || findmnt --fstab "/tmp" > /dev/null ); then @@ -31825,9 +31927,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid' ############################################################################### -# BEGIN fix (315 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' +# BEGIN fix (321 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' ############################################################################### -(>&2 echo "Remediating rule 315/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev'") +(>&2 echo "Remediating rule 321/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then @@ -31879,9 +31981,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev' ############################################################################### -# BEGIN fix (316 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec' +# BEGIN fix (322 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec' ############################################################################### -(>&2 echo "Remediating rule 316/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec'") +(>&2 echo "Remediating rule 322/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then @@ -31933,9 +32035,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec' ############################################################################### -# BEGIN fix (317 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid' +# BEGIN fix (323 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid' ############################################################################### -(>&2 echo "Remediating rule 317/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid'") +(>&2 echo "Remediating rule 323/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then @@ -31987,9 +32089,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid' ############################################################################### -# BEGIN fix (318 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev' +# BEGIN fix (324 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev' ############################################################################### -(>&2 echo "Remediating rule 318/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev'") +(>&2 echo "Remediating rule 324/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then @@ -32041,9 +32143,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev' ############################################################################### -# BEGIN fix (319 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec' +# BEGIN fix (325 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec' ############################################################################### -(>&2 echo "Remediating rule 319/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec'") +(>&2 echo "Remediating rule 325/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then @@ -32095,9 +32197,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec' ############################################################################### -# BEGIN fix (320 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid' +# BEGIN fix (326 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid' ############################################################################### -(>&2 echo "Remediating rule 320/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid'") +(>&2 echo "Remediating rule 326/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log" > /dev/null || findmnt --fstab "/var/log" > /dev/null ); then @@ -32149,9 +32251,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid' ############################################################################### -# BEGIN fix (321 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev' +# BEGIN fix (327 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev' ############################################################################### -(>&2 echo "Remediating rule 321/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev'") +(>&2 echo "Remediating rule 327/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then @@ -32203,9 +32305,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev' ############################################################################### -# BEGIN fix (322 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec' +# BEGIN fix (328 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec' ############################################################################### -(>&2 echo "Remediating rule 322/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec'") +(>&2 echo "Remediating rule 328/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then @@ -32257,9 +32359,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec' ############################################################################### -# BEGIN fix (323 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid' +# BEGIN fix (329 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid' ############################################################################### -(>&2 echo "Remediating rule 323/403: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid'") +(>&2 echo "Remediating rule 329/410: 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then @@ -32311,9 +32413,34 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid' ############################################################################### -# BEGIN fix (324 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern' +# BEGIN fix (330 / 410) for 'xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled' +############################################################################### +(>&2 echo "Remediating rule 330/410: 'xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled'") +# Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then + + sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf + echo "install uvcvideo /bin/true" >> /etc/modprobe.d/uvcvideo.conf +fi + +if ! LC_ALL=C grep -q -m 1 "^blacklist uvcvideo$" /etc/modprobe.d/uvcvideo.conf ; then + echo "blacklist uvcvideo" >> /etc/modprobe.d/uvcvideo.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + +# END fix for 'xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled' + +############################################################################### +# BEGIN fix (331 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern' ############################################################################### -(>&2 echo "Remediating rule 324/403: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern'") +(>&2 echo "Remediating rule 331/410: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32377,9 +32504,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern' ############################################################################### -# BEGIN fix (325 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict' +# BEGIN fix (332 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict' ############################################################################### -(>&2 echo "Remediating rule 325/403: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict'") +(>&2 echo "Remediating rule 332/410: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32443,9 +32570,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict' ############################################################################### -# BEGIN fix (326 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled' +# BEGIN fix (333 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled' ############################################################################### -(>&2 echo "Remediating rule 326/403: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled'") +(>&2 echo "Remediating rule 333/410: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32509,9 +32636,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled' ############################################################################### -# BEGIN fix (327 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid' +# BEGIN fix (334 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid' ############################################################################### -(>&2 echo "Remediating rule 327/403: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid'") +(>&2 echo "Remediating rule 334/410: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32575,9 +32702,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid' ############################################################################### -# BEGIN fix (328 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled' +# BEGIN fix (335 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled' ############################################################################### -(>&2 echo "Remediating rule 328/403: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled'") +(>&2 echo "Remediating rule 335/410: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32641,9 +32768,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled' ############################################################################### -# BEGIN fix (329 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' +# BEGIN fix (336 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' ############################################################################### -(>&2 echo "Remediating rule 329/403: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope'") +(>&2 echo "Remediating rule 336/410: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32707,9 +32834,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' ############################################################################### -# BEGIN fix (330 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden' +# BEGIN fix (337 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden' ############################################################################### -(>&2 echo "Remediating rule 330/403: 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden'") +(>&2 echo "Remediating rule 337/410: 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32773,9 +32900,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden' ############################################################################### -# BEGIN fix (331 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' +# BEGIN fix (338 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' ############################################################################### -(>&2 echo "Remediating rule 331/403: 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces'") +(>&2 echo "Remediating rule 338/410: 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32839,9 +32966,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' ############################################################################### -# BEGIN fix (332 / 403) for 'xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled' +# BEGIN fix (339 / 410) for 'xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled' ############################################################################### -(>&2 echo "Remediating rule 332/403: 'xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled'") +(>&2 echo "Remediating rule 339/410: 'xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -32860,9 +32987,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled' ############################################################################### -# BEGIN fix (333 / 403) for 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' +# BEGIN fix (340 / 410) for 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' ############################################################################### -(>&2 echo "Remediating rule 333/403: 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces'") +(>&2 echo "Remediating rule 340/410: 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces'") # Remediation is applicable only in certain platforms if rpm --quiet -q systemd; then @@ -32888,9 +33015,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' ############################################################################### -# BEGIN fix (334 / 403) for 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' +# BEGIN fix (341 / 410) for 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' ############################################################################### -(>&2 echo "Remediating rule 334/403: 'xccdf_org.ssgproject.content_rule_coredump_disable_storage'") +(>&2 echo "Remediating rule 341/410: 'xccdf_org.ssgproject.content_rule_coredump_disable_storage'") # Remediation is applicable only in certain platforms if rpm --quiet -q systemd; then @@ -32916,9 +33043,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' ############################################################################### -# BEGIN fix (335 / 403) for 'xccdf_org.ssgproject.content_rule_disable_users_coredumps' +# BEGIN fix (342 / 410) for 'xccdf_org.ssgproject.content_rule_disable_users_coredumps' ############################################################################### -(>&2 echo "Remediating rule 335/403: 'xccdf_org.ssgproject.content_rule_disable_users_coredumps'") +(>&2 echo "Remediating rule 342/410: 'xccdf_org.ssgproject.content_rule_disable_users_coredumps'") # Remediation is applicable only in certain platforms if rpm --quiet -q pam; then @@ -32941,9 +33068,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_disable_users_coredumps' ############################################################################### -# BEGIN fix (336 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' +# BEGIN fix (343 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' ############################################################################### -(>&2 echo "Remediating rule 336/403: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict'") +(>&2 echo "Remediating rule 343/410: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33009,9 +33136,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' ############################################################################### -# BEGIN fix (337 / 403) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space' +# BEGIN fix (344 / 410) for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space' ############################################################################### -(>&2 echo "Remediating rule 337/403: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space'") +(>&2 echo "Remediating rule 344/410: 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33075,17 +33202,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space' ############################################################################### -# BEGIN fix (338 / 403) for 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions' +# BEGIN fix (345 / 410) for 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions' ############################################################################### -(>&2 echo "Remediating rule 338/403: 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions'") +(>&2 echo "Remediating rule 345/410: 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions' ############################################################################### -# BEGIN fix (339 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' +# BEGIN fix (346 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' ############################################################################### -(>&2 echo "Remediating rule 339/403: 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument'") +(>&2 echo "Remediating rule 346/410: 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then @@ -33098,9 +33225,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' ############################################################################### -# BEGIN fix (340 / 403) for 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' +# BEGIN fix (347 / 410) for 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' ############################################################################### -(>&2 echo "Remediating rule 340/403: 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument'") +(>&2 echo "Remediating rule 347/410: 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then @@ -33117,9 +33244,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' ############################################################################### -# BEGIN fix (341 / 403) for 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed' +# BEGIN fix (348 / 410) for 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed' ############################################################################### -(>&2 echo "Remediating rule 341/403: 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed'") +(>&2 echo "Remediating rule 348/410: 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33134,9 +33261,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed' ############################################################################### -# BEGIN fix (342 / 403) for 'xccdf_org.ssgproject.content_rule_selinux_policytype' +# BEGIN fix (349 / 410) for 'xccdf_org.ssgproject.content_rule_selinux_policytype' ############################################################################### -(>&2 echo "Remediating rule 342/403: 'xccdf_org.ssgproject.content_rule_selinux_policytype'") +(>&2 echo "Remediating rule 349/410: 'xccdf_org.ssgproject.content_rule_selinux_policytype'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33165,9 +33292,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_selinux_policytype' ############################################################################### -# BEGIN fix (343 / 403) for 'xccdf_org.ssgproject.content_rule_selinux_state' +# BEGIN fix (350 / 410) for 'xccdf_org.ssgproject.content_rule_selinux_state' ############################################################################### -(>&2 echo "Remediating rule 343/403: 'xccdf_org.ssgproject.content_rule_selinux_state'") +(>&2 echo "Remediating rule 350/410: 'xccdf_org.ssgproject.content_rule_selinux_state'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33199,17 +33326,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_selinux_state' ############################################################################### -# BEGIN fix (344 / 403) for 'xccdf_org.ssgproject.content_rule_selinux_user_login_roles' +# BEGIN fix (351 / 410) for 'xccdf_org.ssgproject.content_rule_selinux_user_login_roles' ############################################################################### -(>&2 echo "Remediating rule 344/403: 'xccdf_org.ssgproject.content_rule_selinux_user_login_roles'") +(>&2 echo "Remediating rule 351/410: 'xccdf_org.ssgproject.content_rule_selinux_user_login_roles'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_selinux_user_login_roles' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_selinux_user_login_roles' ############################################################################### -# BEGIN fix (345 / 403) for 'xccdf_org.ssgproject.content_rule_package_abrt_removed' +# BEGIN fix (352 / 410) for 'xccdf_org.ssgproject.content_rule_package_abrt_removed' ############################################################################### -(>&2 echo "Remediating rule 345/403: 'xccdf_org.ssgproject.content_rule_package_abrt_removed'") +(>&2 echo "Remediating rule 352/410: 'xccdf_org.ssgproject.content_rule_package_abrt_removed'") # CAUTION: This remediation script will remove abrt # from the system, and may remove any packages @@ -33226,9 +33353,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_abrt_removed' ############################################################################### -# BEGIN fix (346 / 403) for 'xccdf_org.ssgproject.content_rule_service_kdump_disabled' +# BEGIN fix (353 / 410) for 'xccdf_org.ssgproject.content_rule_service_kdump_disabled' ############################################################################### -(>&2 echo "Remediating rule 346/403: 'xccdf_org.ssgproject.content_rule_service_kdump_disabled'") +(>&2 echo "Remediating rule 353/410: 'xccdf_org.ssgproject.content_rule_service_kdump_disabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33253,9 +33380,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_kdump_disabled' ############################################################################### -# BEGIN fix (347 / 403) for 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed' +# BEGIN fix (354 / 410) for 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed' ############################################################################### -(>&2 echo "Remediating rule 347/403: 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed'") +(>&2 echo "Remediating rule 354/410: 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33270,9 +33397,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_fapolicyd_installed' ############################################################################### -# BEGIN fix (348 / 403) for 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled' +# BEGIN fix (355 / 410) for 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled' ############################################################################### -(>&2 echo "Remediating rule 348/403: 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled'") +(>&2 echo "Remediating rule 355/410: 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33288,9 +33415,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled' ############################################################################### -# BEGIN fix (349 / 403) for 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny' +# BEGIN fix (356 / 410) for 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny' ############################################################################### -(>&2 echo "Remediating rule 349/403: 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'") +(>&2 echo "Remediating rule 356/410: 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33326,9 +33453,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny' ############################################################################### -# BEGIN fix (350 / 403) for 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed' +# BEGIN fix (357 / 410) for 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed' ############################################################################### -(>&2 echo "Remediating rule 350/403: 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed'") +(>&2 echo "Remediating rule 357/410: 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed'") # CAUTION: This remediation script will remove vsftpd # from the system, and may remove any packages @@ -33345,9 +33472,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_vsftpd_removed' ############################################################################### -# BEGIN fix (351 / 403) for 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed' +# BEGIN fix (358 / 410) for 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed' ############################################################################### -(>&2 echo "Remediating rule 351/403: 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed'") +(>&2 echo "Remediating rule 358/410: 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33370,9 +33497,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_krb5-server_removed' ############################################################################### -# BEGIN fix (352 / 403) for 'xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab' +# BEGIN fix (359 / 410) for 'xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab' ############################################################################### -(>&2 echo "Remediating rule 352/403: 'xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab'") +(>&2 echo "Remediating rule 359/410: 'xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33385,9 +33512,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab' ############################################################################### -# BEGIN fix (353 / 403) for 'xccdf_org.ssgproject.content_rule_package_mailx_installed' +# BEGIN fix (360 / 410) for 'xccdf_org.ssgproject.content_rule_package_mailx_installed' ############################################################################### -(>&2 echo "Remediating rule 353/403: 'xccdf_org.ssgproject.content_rule_package_mailx_installed'") +(>&2 echo "Remediating rule 360/410: 'xccdf_org.ssgproject.content_rule_package_mailx_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33402,9 +33529,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_mailx_installed' ############################################################################### -# BEGIN fix (354 / 403) for 'xccdf_org.ssgproject.content_rule_package_postfix_installed' +# BEGIN fix (361 / 410) for 'xccdf_org.ssgproject.content_rule_package_postfix_installed' ############################################################################### -(>&2 echo "Remediating rule 354/403: 'xccdf_org.ssgproject.content_rule_package_postfix_installed'") +(>&2 echo "Remediating rule 361/410: 'xccdf_org.ssgproject.content_rule_package_postfix_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33419,9 +33546,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_postfix_installed' ############################################################################### -# BEGIN fix (355 / 403) for 'xccdf_org.ssgproject.content_rule_package_sendmail_removed' +# BEGIN fix (362 / 410) for 'xccdf_org.ssgproject.content_rule_package_sendmail_removed' ############################################################################### -(>&2 echo "Remediating rule 355/403: 'xccdf_org.ssgproject.content_rule_package_sendmail_removed'") +(>&2 echo "Remediating rule 362/410: 'xccdf_org.ssgproject.content_rule_package_sendmail_removed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33444,9 +33571,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_sendmail_removed' ############################################################################### -# BEGIN fix (356 / 403) for 'xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster' +# BEGIN fix (363 / 410) for 'xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster' ############################################################################### -(>&2 echo "Remediating rule 356/403: 'xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster'") +(>&2 echo "Remediating rule 363/410: 'xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33476,9 +33603,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster' ############################################################################### -# BEGIN fix (357 / 403) for 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' +# BEGIN fix (364 / 410) for 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' ############################################################################### -(>&2 echo "Remediating rule 357/403: 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay'") +(>&2 echo "Remediating rule 364/410: 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q postfix; then @@ -33495,9 +33622,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' ############################################################################### -# BEGIN fix (358 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems' +# BEGIN fix (365 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems' ############################################################################### -(>&2 echo "Remediating rule 358/403: 'xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems'") +(>&2 echo "Remediating rule 365/410: 'xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33535,9 +33662,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems' ############################################################################### -# BEGIN fix (359 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems' +# BEGIN fix (366 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems' ############################################################################### -(>&2 echo "Remediating rule 359/403: 'xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems'") +(>&2 echo "Remediating rule 366/410: 'xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33575,9 +33702,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems' ############################################################################### -# BEGIN fix (360 / 403) for 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems' +# BEGIN fix (367 / 410) for 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems' ############################################################################### -(>&2 echo "Remediating rule 360/403: 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems'") +(>&2 echo "Remediating rule 367/410: 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33615,9 +33742,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems' ############################################################################### -# BEGIN fix (361 / 403) for 'xccdf_org.ssgproject.content_rule_chronyd_client_only' +# BEGIN fix (368 / 410) for 'xccdf_org.ssgproject.content_rule_chronyd_client_only' ############################################################################### -(>&2 echo "Remediating rule 361/403: 'xccdf_org.ssgproject.content_rule_chronyd_client_only'") +(>&2 echo "Remediating rule 368/410: 'xccdf_org.ssgproject.content_rule_chronyd_client_only'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33650,9 +33777,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_chronyd_client_only' ############################################################################### -# BEGIN fix (362 / 403) for 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network' +# BEGIN fix (369 / 410) for 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network' ############################################################################### -(>&2 echo "Remediating rule 362/403: 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network'") +(>&2 echo "Remediating rule 369/410: 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33685,9 +33812,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network' ############################################################################### -# BEGIN fix (363 / 403) for 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll' +# BEGIN fix (370 / 410) for 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll' ############################################################################### -(>&2 echo "Remediating rule 363/403: 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'") +(>&2 echo "Remediating rule 370/410: 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ( rpm --quiet -q chrony || rpm --quiet -q ntp ); }; then @@ -33730,17 +33857,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll' ############################################################################### -# BEGIN fix (364 / 403) for 'xccdf_org.ssgproject.content_rule_chronyd_server_directive' +# BEGIN fix (371 / 410) for 'xccdf_org.ssgproject.content_rule_chronyd_server_directive' ############################################################################### -(>&2 echo "Remediating rule 364/403: 'xccdf_org.ssgproject.content_rule_chronyd_server_directive'") +(>&2 echo "Remediating rule 371/410: 'xccdf_org.ssgproject.content_rule_chronyd_server_directive'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_chronyd_server_directive' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_chronyd_server_directive' ############################################################################### -# BEGIN fix (365 / 403) for 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed' +# BEGIN fix (372 / 410) for 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed' ############################################################################### -(>&2 echo "Remediating rule 365/403: 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed'") +(>&2 echo "Remediating rule 372/410: 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed'") # CAUTION: This remediation script will remove rsh-server # from the system, and may remove any packages @@ -33757,9 +33884,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_rsh-server_removed' ############################################################################### -# BEGIN fix (366 / 403) for 'xccdf_org.ssgproject.content_rule_no_host_based_files' +# BEGIN fix (373 / 410) for 'xccdf_org.ssgproject.content_rule_no_host_based_files' ############################################################################### -(>&2 echo "Remediating rule 366/403: 'xccdf_org.ssgproject.content_rule_no_host_based_files'") +(>&2 echo "Remediating rule 373/410: 'xccdf_org.ssgproject.content_rule_no_host_based_files'") # Identify local mounts MOUNT_LIST=$(df --local | awk '{ print $6 }') @@ -33773,9 +33900,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_no_host_based_files' ############################################################################### -# BEGIN fix (367 / 403) for 'xccdf_org.ssgproject.content_rule_no_user_host_based_files' +# BEGIN fix (374 / 410) for 'xccdf_org.ssgproject.content_rule_no_user_host_based_files' ############################################################################### -(>&2 echo "Remediating rule 367/403: 'xccdf_org.ssgproject.content_rule_no_user_host_based_files'") +(>&2 echo "Remediating rule 374/410: 'xccdf_org.ssgproject.content_rule_no_user_host_based_files'") # Identify local mounts MOUNT_LIST=$(df --local | awk '{ print $6 }') @@ -33789,9 +33916,9 @@ done # END fix for 'xccdf_org.ssgproject.content_rule_no_user_host_based_files' ############################################################################### -# BEGIN fix (368 / 403) for 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed' +# BEGIN fix (375 / 410) for 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed' ############################################################################### -(>&2 echo "Remediating rule 368/403: 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed'") +(>&2 echo "Remediating rule 375/410: 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed'") # CAUTION: This remediation script will remove telnet-server # from the system, and may remove any packages @@ -33808,9 +33935,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_telnet-server_removed' ############################################################################### -# BEGIN fix (369 / 403) for 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed' +# BEGIN fix (376 / 410) for 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed' ############################################################################### -(>&2 echo "Remediating rule 369/403: 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed'") +(>&2 echo "Remediating rule 376/410: 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed'") # CAUTION: This remediation script will remove tftp-server # from the system, and may remove any packages @@ -33827,9 +33954,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_tftp-server_removed' ############################################################################### -# BEGIN fix (370 / 403) for 'xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode' +# BEGIN fix (377 / 410) for 'xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode' ############################################################################### -(>&2 echo "Remediating rule 370/403: 'xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode'") +(>&2 echo "Remediating rule 377/410: 'xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode'") # Remediation is applicable only in certain platforms if rpm --quiet -q tftp-server; then @@ -33849,9 +33976,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode' ############################################################################### -# BEGIN fix (371 / 403) for 'xccdf_org.ssgproject.content_rule_service_rngd_enabled' +# BEGIN fix (378 / 410) for 'xccdf_org.ssgproject.content_rule_service_rngd_enabled' ############################################################################### -(>&2 echo "Remediating rule 371/403: 'xccdf_org.ssgproject.content_rule_service_rngd_enabled'") +(>&2 echo "Remediating rule 378/410: 'xccdf_org.ssgproject.content_rule_service_rngd_enabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then @@ -33867,9 +33994,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_rngd_enabled' ############################################################################### -# BEGIN fix (372 / 403) for 'xccdf_org.ssgproject.content_rule_package_openssh-server_installed' +# BEGIN fix (379 / 410) for 'xccdf_org.ssgproject.content_rule_package_openssh-server_installed' ############################################################################### -(>&2 echo "Remediating rule 372/403: 'xccdf_org.ssgproject.content_rule_package_openssh-server_installed'") +(>&2 echo "Remediating rule 379/410: 'xccdf_org.ssgproject.content_rule_package_openssh-server_installed'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33884,9 +34011,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_openssh-server_installed' ############################################################################### -# BEGIN fix (373 / 403) for 'xccdf_org.ssgproject.content_rule_service_sshd_enabled' +# BEGIN fix (380 / 410) for 'xccdf_org.ssgproject.content_rule_service_sshd_enabled' ############################################################################### -(>&2 echo "Remediating rule 373/403: 'xccdf_org.ssgproject.content_rule_service_sshd_enabled'") +(>&2 echo "Remediating rule 380/410: 'xccdf_org.ssgproject.content_rule_service_sshd_enabled'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33902,9 +34029,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_sshd_enabled' ############################################################################### -# BEGIN fix (374 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' +# BEGIN fix (381 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' ############################################################################### -(>&2 echo "Remediating rule 374/403: 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key'") +(>&2 echo "Remediating rule 381/410: 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33928,9 +34055,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' ############################################################################### -# BEGIN fix (375 / 403) for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' +# BEGIN fix (382 / 410) for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' ############################################################################### -(>&2 echo "Remediating rule 375/403: 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key'") +(>&2 echo "Remediating rule 382/410: 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33943,17 +34070,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' ############################################################################### -# BEGIN fix (376 / 403) for 'xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected' +# BEGIN fix (383 / 410) for 'xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected' ############################################################################### -(>&2 echo "Remediating rule 376/403: 'xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected'") +(>&2 echo "Remediating rule 383/410: 'xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected' ############################################################################### -# BEGIN fix (377 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' +# BEGIN fix (384 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' ############################################################################### -(>&2 echo "Remediating rule 377/403: 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive'") +(>&2 echo "Remediating rule 384/410: 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -33983,9 +34110,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' ############################################################################### -# BEGIN fix (378 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' +# BEGIN fix (385 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' ############################################################################### -(>&2 echo "Remediating rule 378/403: 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout'") +(>&2 echo "Remediating rule 385/410: 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.5"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then @@ -34015,9 +34142,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' ############################################################################### -# BEGIN fix (379 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' +# BEGIN fix (386 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' ############################################################################### -(>&2 echo "Remediating rule 379/403: 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'") +(>&2 echo "Remediating rule 386/410: 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34044,9 +34171,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' ############################################################################### -# BEGIN fix (380 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' +# BEGIN fix (387 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' ############################################################################### -(>&2 echo "Remediating rule 380/403: 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth'") +(>&2 echo "Remediating rule 387/410: 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34073,9 +34200,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' ############################################################################### -# BEGIN fix (381 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' +# BEGIN fix (388 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' ############################################################################### -(>&2 echo "Remediating rule 381/403: 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth'") +(>&2 echo "Remediating rule 388/410: 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34102,9 +34229,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' ############################################################################### -# BEGIN fix (382 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' +# BEGIN fix (389 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' ############################################################################### -(>&2 echo "Remediating rule 382/403: 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'") +(>&2 echo "Remediating rule 389/410: 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34131,9 +34258,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' ############################################################################### -# BEGIN fix (383 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' +# BEGIN fix (390 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' ############################################################################### -(>&2 echo "Remediating rule 383/403: 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts'") +(>&2 echo "Remediating rule 390/410: 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34160,9 +34287,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' ############################################################################### -# BEGIN fix (384 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' +# BEGIN fix (391 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' ############################################################################### -(>&2 echo "Remediating rule 384/403: 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding'") +(>&2 echo "Remediating rule 391/410: 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34189,9 +34316,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' ############################################################################### -# BEGIN fix (385 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' +# BEGIN fix (392 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' ############################################################################### -(>&2 echo "Remediating rule 385/403: 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env'") +(>&2 echo "Remediating rule 392/410: 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34218,9 +34345,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' ############################################################################### -# BEGIN fix (386 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' +# BEGIN fix (393 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' ############################################################################### -(>&2 echo "Remediating rule 386/403: 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes'") +(>&2 echo "Remediating rule 393/410: 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34247,9 +34374,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' ############################################################################### -# BEGIN fix (387 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' +# BEGIN fix (394 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' ############################################################################### -(>&2 echo "Remediating rule 387/403: 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner'") +(>&2 echo "Remediating rule 394/410: 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34276,9 +34403,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' ############################################################################### -# BEGIN fix (388 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' +# BEGIN fix (395 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' ############################################################################### -(>&2 echo "Remediating rule 388/403: 'xccdf_org.ssgproject.content_rule_sshd_print_last_log'") +(>&2 echo "Remediating rule 395/410: 'xccdf_org.ssgproject.content_rule_sshd_print_last_log'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34305,9 +34432,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' ############################################################################### -# BEGIN fix (389 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' +# BEGIN fix (396 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' ############################################################################### -(>&2 echo "Remediating rule 389/403: 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit'") +(>&2 echo "Remediating rule 396/410: 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34340,17 +34467,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' ############################################################################### -# BEGIN fix (390 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig' +# BEGIN fix (397 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig' ############################################################################### -(>&2 echo "Remediating rule 390/403: 'xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig'") +(>&2 echo "Remediating rule 397/410: 'xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig' ############################################################################### -# BEGIN fix (391 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_rng' +# BEGIN fix (398 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_rng' ############################################################################### -(>&2 echo "Remediating rule 391/403: 'xccdf_org.ssgproject.content_rule_sshd_use_strong_rng'") +(>&2 echo "Remediating rule 398/410: 'xccdf_org.ssgproject.content_rule_sshd_use_strong_rng'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34385,9 +34512,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_use_strong_rng' ############################################################################### -# BEGIN fix (392 / 403) for 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' +# BEGIN fix (399 / 410) for 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' ############################################################################### -(>&2 echo "Remediating rule 392/403: 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost'") +(>&2 echo "Remediating rule 399/410: 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then @@ -34414,9 +34541,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' ############################################################################### -# BEGIN fix (393 / 403) for 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' +# BEGIN fix (400 / 410) for 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' ############################################################################### -(>&2 echo "Remediating rule 393/403: 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification'") +(>&2 echo "Remediating rule 400/410: 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification'") # Remediation is applicable only in certain platforms if rpm --quiet -q sssd-common; then @@ -34466,17 +34593,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification' ############################################################################### -# BEGIN fix (394 / 403) for 'xccdf_org.ssgproject.content_rule_sssd_enable_certmap' +# BEGIN fix (401 / 410) for 'xccdf_org.ssgproject.content_rule_sssd_enable_certmap' ############################################################################### -(>&2 echo "Remediating rule 394/403: 'xccdf_org.ssgproject.content_rule_sssd_enable_certmap'") +(>&2 echo "Remediating rule 401/410: 'xccdf_org.ssgproject.content_rule_sssd_enable_certmap'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_sssd_enable_certmap' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_sssd_enable_certmap' ############################################################################### -# BEGIN fix (395 / 403) for 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' +# BEGIN fix (402 / 410) for 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' ############################################################################### -(>&2 echo "Remediating rule 395/403: 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards'") +(>&2 echo "Remediating rule 402/410: 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards'") # Remediation is applicable only in certain platforms if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -34563,17 +34690,17 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' ############################################################################### -# BEGIN fix (396 / 403) for 'xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor' +# BEGIN fix (403 / 410) for 'xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor' ############################################################################### -(>&2 echo "Remediating rule 396/403: 'xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor'") +(>&2 echo "Remediating rule 403/410: 'xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor'") (>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor' IS MISSING!") # END fix for 'xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor' ############################################################################### -# BEGIN fix (397 / 403) for 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' +# BEGIN fix (404 / 410) for 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' ############################################################################### -(>&2 echo "Remediating rule 397/403: 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration'") +(>&2 echo "Remediating rule 404/410: 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration'") # Remediation is applicable only in certain platforms if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then @@ -34618,9 +34745,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' ############################################################################### -# BEGIN fix (398 / 403) for 'xccdf_org.ssgproject.content_rule_package_usbguard_installed' +# BEGIN fix (405 / 410) for 'xccdf_org.ssgproject.content_rule_package_usbguard_installed' ############################################################################### -(>&2 echo "Remediating rule 398/403: 'xccdf_org.ssgproject.content_rule_package_usbguard_installed'") +(>&2 echo "Remediating rule 405/410: 'xccdf_org.ssgproject.content_rule_package_usbguard_installed'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then @@ -34635,9 +34762,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_package_usbguard_installed' ############################################################################### -# BEGIN fix (399 / 403) for 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled' +# BEGIN fix (406 / 410) for 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled' ############################################################################### -(>&2 echo "Remediating rule 399/403: 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'") +(>&2 echo "Remediating rule 406/410: 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then @@ -34653,9 +34780,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled' ############################################################################### -# BEGIN fix (400 / 403) for 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' +# BEGIN fix (407 / 410) for 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' ############################################################################### -(>&2 echo "Remediating rule 400/403: 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend'") +(>&2 echo "Remediating rule 407/410: 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ) && { rpm --quiet -q usbguard; }; then @@ -34681,9 +34808,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' ############################################################################### -# BEGIN fix (401 / 403) for 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy' +# BEGIN fix (408 / 410) for 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy' ############################################################################### -(>&2 echo "Remediating rule 401/403: 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy'") +(>&2 echo "Remediating rule 408/410: 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy'") # Remediation is applicable only in certain platforms if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! grep -q s390x /proc/sys/kernel/osrelease ); then @@ -34717,9 +34844,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy' ############################################################################### -# BEGIN fix (402 / 403) for 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' +# BEGIN fix (409 / 410) for 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' ############################################################################### -(>&2 echo "Remediating rule 402/403: 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages'") +(>&2 echo "Remediating rule 409/410: 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages'") # remove packages @@ -34748,9 +34875,9 @@ fi # END fix for 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' ############################################################################### -# BEGIN fix (403 / 403) for 'xccdf_org.ssgproject.content_rule_xwindows_runlevel_target' +# BEGIN fix (410 / 410) for 'xccdf_org.ssgproject.content_rule_xwindows_runlevel_target' ############################################################################### -(>&2 echo "Remediating rule 403/403: 'xccdf_org.ssgproject.content_rule_xwindows_runlevel_target'") +(>&2 echo "Remediating rule 410/410: 'xccdf_org.ssgproject.content_rule_xwindows_runlevel_target'") # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then diff --git a/ssg-rhel8-ds-1.2.xml b/ssg-rhel8-ds-1.2.xml index c19ce73..6bfe5d3 100644 --- a/ssg-rhel8-ds-1.2.xml +++ b/ssg-rhel8-ds-1.2.xml @@ -23,7 +23,7 @@ - + Red Hat Enterprise Linux 8 @@ -75,9 +75,9 @@ - + - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 8 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of @@ -842,246 +842,246 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - + + + + + + + + + + + - - - - - - + - - - - - - - - - - - - - - - - + + + + + + + + + + + + - - - + + + + - - - - - - - - - - - - + + + - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - + - - - + + + + - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + - + + + + + + - - - - - + + + + + + + + + + + + @@ -1312,320 +1312,320 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - + + + + - - - - - + + + + - - - - - + + + + + + + - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + - - + + - - - + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + @@ -1858,175 +1858,175 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - + + + + - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + + + + + - - - - + - - - - - - - - - - - - + + + + + + + + + + - + + + + - - - - - - - + + + - - + + - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - - - - + - - - - - - - - - - - - + + + + + - - - - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + - + + + + + + + + + - - - + + + + + + + + + @@ -2267,53 +2267,53 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - + + + + + + + + + + + - - - + + + + + - - - - - - - - + + + + - + + + + + + + + + - - - - - - + + + + + - - - - - + - - - - - - - - - - + + + - - - - @@ -2567,365 +2567,365 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - - - + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + - - - - - - - - - - - - - + - - - - - - - + + + + - - - - - - - - - - + - - - - - - + + + + + - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + @@ -3130,289 +3130,289 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - + - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - + + - - - - - - - - - + + - + + + - - + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + - - + + + + - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + - - - - - - + - - - - + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + - - - - - - + + + + + + + + + - - + + + + + + + + + + + + + - - - - - + + - - - - - - - - - - - - - - - - + + + + + + + + + - + + - - - + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - + @@ -3623,282 +3623,282 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - + + - + + + - - + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + - - - - - - - - - - - + + + + + + - - - - - - + + + + + + + + + - - - - - - - - - - + + + - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - + - - - - - - + + + + + + + + + - - + + + + + + + + + + + + + - - - - + + - - - - - - - - - - - - - - - - + + + + + + + + + + - + + - - - + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - + @@ -4116,361 +4116,361 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - - - + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + - - - - - - - - - - - - - + - - - - - - - + + + + - - - - - - - - - + - - - - - - + + + + + - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + @@ -4679,111 +4679,111 @@ Policy Resource Center: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center - - - - - - - - - - - - - - - - - - - - - - - + + - + - + + + + + - + + - - - - - + + + + + - - - - - - + - - - - - - - - + + + + + - + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + - - - - - + + - - - - - - - - - + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + - - - - - - - - - - @@ -5030,216 +5030,216 @@ in NIST Special Publication 800-53. This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)." - - - - - - - - - - - - - - + + - - - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - + + + + + - - - - - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - + + + + + + - - - - - + + - - - - - - - - - - - + + + - - + + + + + - - + + + + + + + + + - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + + - + + + + + + + - - - + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + - + + + - - - - - + + + - - - - - - - - - @@ -5472,104 +5472,104 @@ ACSC website: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers - - + + + + + + + + - - - - - - - - + + + - - + + + + - - - + + + + + + - - - - - + + + - - - - - - - - + + + - - - - - - + + + + + + + + + + + + + + + - + + - + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - + - - - + + + - - - - - - - - - - - - - - + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + @@ -5775,163 +5775,163 @@ https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-work - - - - - - - - - Health Insurance Portability and Accountability Act (HIPAA) - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ -electronic personal health information that is created, received, used, or -maintained by a covered entity. The Security Rule requires appropriate -administrative, physical and technical safeguards to ensure the -confidentiality, integrity, and security of electronic protected health -information. - -This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security -Rule identified for securing of electronic protected health information. -Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). - https://www.hhs.gov/hipaa/for-professionals/index.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + Health Insurance Portability and Accountability Act (HIPAA) + The HIPAA Security Rule establishes U.S. national standards to protect individuals’ +electronic personal health information that is created, received, used, or +maintained by a covered entity. The Security Rule requires appropriate +administrative, physical and technical safeguards to ensure the +confidentiality, integrity, and security of electronic protected health +information. + +This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security +Rule identified for securing of electronic protected health information. +Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + https://www.hhs.gov/hipaa/for-professionals/index.html + - - - + + + + + - - + - - - - - + + - + + + + + + + + + - - - + + + + + + + + - - - - - - - - - - + + + + - - - - - - - - - + + + + + + - - - + + + + + + + + + - - + + - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - + + + + - - - - + + + + - - - + + - - - - - + + + + - + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + @@ -6153,157 +6153,157 @@ A copy of the ISM can be found at the ACSC website: https://www.cyber.gov.au/ism https://www.cyber.gov.au/ism - - + + + + + + + + + + - - - - - - - - - + + + - - - + + + + + + - - - - - - - + + + + + + + + + - - - - - - - + + + - - - - - - - - - + - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - + - - + + + - - - - - - - - - - - - - + + + - - + + + + + + + + + + + + + + + - + + + + + + + + - + + + + + + + + + + + - + - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -6510,216 +6510,216 @@ U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems. https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442 - - - - - - - - - - - - - - + + - - - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - + + + + + - - - - - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - + + + + + + - - - - - + + - - - - - - - - - - - + + + - - + + + + + - - + + + + + + + + + - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + + - + + + + + + + - - - + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + - + + + - - - - - + + + - - - - - - - - - @@ -6945,131 +6945,131 @@ use in U.S. National Security Systems. PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Ensures PCI-DSS v3.2.1 security configuration settings are applied. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - - - - - - - - - - - - - - - - - - - - - - - - - + - - + + + + + + + + + + + + + + - - + + - - - - - - - - - - - + - - + + + + + + + + + + + + + - + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + - - - + + + + + + - + + + + + - - - - - - - + + + + - - - - - - - + + - + + + + + - - + + + + + + + + + - - - + + + + + + + - - - - - + + - - - - - - - + + + - - + + + - - - - - - - - + + + + + + + + + + @@ -7295,77 +7295,77 @@ use in U.S. National Security Systems. configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified Cloud Providers. - - + - - + - - - - - - - + + + + - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - + + - - - - - - - + + + - - - - - - - + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + @@ -7605,85 +7605,85 @@ Cloud Providers. This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload all of these checks should pass. - - - - - - - - - - - - - - - - - + + + - - - - - - - - + + + + + + - - - - - - + + - - - - - - - - + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + - - - + + - - + + + + + + + + + + + + + - - - - - - - - - - - - + + + + + + + + + - - - + + + + + @@ -7922,409 +7922,416 @@ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - + - - + + + + + + + + + + + - - - - - - - - - - - + + + + - - - - - - + + + + + + + + + + + + + + + + + + - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + + + + + - - - - - + + + + + + + + + + + + + + + + + + + - - - + + + + + + @@ -8546,406 +8553,413 @@ your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 8 profile. https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - + + + + - - - - - + + + + + + + - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - + - - + + + + + + + + + + + - - - - - - - - - - - + + + + - - - - - - + + + + + + + + + + + + + + + + + + - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + + + + + - - - - - + + + + + + + + + + + + + + + + + + + - - - + + + + + + @@ -47461,8 +47475,6 @@ updates as of version 0.1.69. PR.AC-6 SRG-OS-000123-GPOS-00064 SRG-OS-000002-GPOS-00002 - RHEL-08-020270 - SV-230374r903129_rule If emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all emergency accounts @@ -47548,7 +47560,9 @@ period of 72 hours. SRG-OS-000123-GPOS-00064 SRG-OS-000002-GPOS-00002 RHEL-08-020000 + RHEL-08-020270 SV-230331r627750_rule + SV-230374r903129_rule If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts @@ -183542,7 +183556,9 @@ above. Req-1.4 1.5.1 SRG-OS-000480-GPOS-00227 + RHEL-08-040090 3.4.1.5 + SV-230504r854047_rule In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. @@ -280133,16 +280149,16 @@ which the system will be deployed as closely as possible. - - + + - combine_ovals.py from SCAP Security Guide + Script combine_ovals.py from SCAP Security Guide ssg: [0, 1, 71], python: 3.10.12 5.11 - 2023-11-08T00:06:20 + 2023-11-09T00:08:19 - + Disable DHCP Client in ifcfg @@ -280152,11 +280168,11 @@ which the system will be deployed as closely as possible. - + - + Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. @@ -280166,7 +280182,7 @@ which the system will be deployed as closely as possible. - + @@ -280174,7 +280190,7 @@ which the system will be deployed as closely as possible. - + Enable Logging of All FTP Transactions @@ -280187,7 +280203,7 @@ which the system will be deployed as closely as possible. - + @@ -280195,7 +280211,7 @@ which the system will be deployed as closely as possible. - + Create Warning Banners for All FTP Users @@ -280210,7 +280226,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on the /etc/httpd/conf/ Directory @@ -280224,7 +280240,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on the /var/log/httpd/ Directory @@ -280238,7 +280254,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ @@ -280252,7 +280268,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on All Configuration Files Inside /etc/httpd/conf/ @@ -280266,7 +280282,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ @@ -280280,7 +280296,7 @@ which the system will be deployed as closely as possible. - + Disable Plaintext Authentication @@ -280294,7 +280310,7 @@ which the system will be deployed as closely as possible. - + Enable the SSL flag in /etc/dovecot.conf @@ -280308,7 +280324,7 @@ which the system will be deployed as closely as possible. - + Disable Kerberos by removing host keytab @@ -280318,11 +280334,11 @@ which the system will be deployed as closely as possible. - - + + - + Enable the LDAP Client For Use in Authconfig @@ -280332,11 +280348,11 @@ which the system will be deployed as closely as possible. - + - + Configure LDAP Client to Use TLS For All Transactions @@ -280351,7 +280367,7 @@ which the system will be deployed as closely as possible. - + Configure Certificate Directives for LDAP Use of TLS @@ -280366,7 +280382,7 @@ which the system will be deployed as closely as possible. - + Ensure Mail Transfer Agent is not Listening on any non-loopback Address @@ -280376,11 +280392,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure System to Forward All Mail For The Root Account @@ -280390,11 +280406,11 @@ which the system will be deployed as closely as possible. - + - + Configure System to Forward All Mail From Postmaster to The Root Account @@ -280404,11 +280420,11 @@ which the system will be deployed as closely as possible. - + - + Disable Postfix Network Listening @@ -280419,11 +280435,11 @@ which the system will be deployed as closely as possible. - + - + Configure SMTP Greeting Banner @@ -280437,7 +280453,7 @@ which the system will be deployed as closely as possible. - + Prevent Unrestricted Mail Relaying @@ -280454,7 +280470,7 @@ which the system will be deployed as closely as possible. - + Ensure Insecure File Locking is Not Allowed @@ -280464,11 +280480,11 @@ which the system will be deployed as closely as possible. - + - + Use Kerberos Security on All Exports @@ -280481,10 +280497,10 @@ which the system will be deployed as closely as possible. - + - + Disable chrony daemon from acting as server @@ -280496,11 +280512,11 @@ which the system will be deployed as closely as possible. - - + + - + Disable network management of chrony daemon @@ -280512,11 +280528,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure Time Service Maxpoll Interval @@ -280544,7 +280560,7 @@ which the system will be deployed as closely as possible. - + Specify Additional Remote NTP Servers @@ -280565,7 +280581,7 @@ which the system will be deployed as closely as possible. - + Specify a Remote NTP Server @@ -280586,7 +280602,7 @@ which the system will be deployed as closely as possible. - + Ensure that chronyd is running under chrony user account @@ -280600,7 +280616,7 @@ which the system will be deployed as closely as possible. - + Ensure Chrony is only configured with the server directive @@ -280610,12 +280626,12 @@ which the system will be deployed as closely as possible. - + - + A remote time server for Chrony is configured @@ -280626,11 +280642,11 @@ which the system will be deployed as closely as possible. - + - + Specify Additional Remote NTP Servers @@ -280639,11 +280655,11 @@ which the system will be deployed as closely as possible.Multiple ntpd NTP Servers for time synchronization should be specified. - + - + Specify a Remote NTP Server @@ -280653,11 +280669,11 @@ which the system will be deployed as closely as possible. - + - + Enable the NTP Daemon @@ -280672,7 +280688,7 @@ which the system will be deployed as closely as possible. - + Remove Host-Based Authentication Files @@ -280682,11 +280698,11 @@ which the system will be deployed as closely as possible. - + - + Remove Rsh Trust Files @@ -280697,12 +280713,12 @@ which the system will be deployed as closely as possible. - - - + + + - + Remove User Host-Based Authentication Files @@ -280712,11 +280728,11 @@ which the system will be deployed as closely as possible. - + - + Ensure tftp Daemon Uses Secure Mode @@ -280731,7 +280747,7 @@ which the system will be deployed as closely as possible. - + Disable Printer Browsing Entirely if Possible @@ -280750,7 +280766,7 @@ which the system will be deployed as closely as possible. - + Disable Print Server Capabilities @@ -280770,7 +280786,7 @@ which the system will be deployed as closely as possible. - + Require Client SMB Packet Signing, if using mount.cifs @@ -280797,7 +280813,7 @@ which the system will be deployed as closely as possible. - + Require Client SMB Packet Signing, if using smbclient @@ -280816,7 +280832,7 @@ which the system will be deployed as closely as possible. - + Ensure Default SNMP Password Is Not Used @@ -280825,11 +280841,11 @@ which the system will be deployed as closely as possible.SNMP default communities must be removed. - + - + Configure SNMP Service to Use Only SNMPv3 or Newer @@ -280844,7 +280860,7 @@ which the system will be deployed as closely as possible. - + Verify Permissions on SSH Server Private *_key Key Files @@ -280858,7 +280874,7 @@ which the system will be deployed as closely as possible. - + Remove SSH Server firewalld Firewall exception (Unusual) @@ -280875,7 +280891,7 @@ which the system will be deployed as closely as possible. - + Configure session renegotiation for SSH client @@ -280886,11 +280902,11 @@ which the system will be deployed as closely as possible. - + - + SSH client uses strong entropy to seed (for CSH like shells) @@ -280905,7 +280921,7 @@ which the system will be deployed as closely as possible. - + SSH client uses strong entropy to seed (Bash-like shells) @@ -280920,7 +280936,7 @@ which the system will be deployed as closely as possible. - + Enable SSH Server firewalld Firewall Exception @@ -280946,7 +280962,7 @@ which the system will be deployed as closely as possible. - + Allow Only SSH Protocol 2 @@ -280971,7 +280987,7 @@ which the system will be deployed as closely as possible. - + Disable Compression Or Set Compression to delayed @@ -280993,7 +281009,7 @@ which the system will be deployed as closely as possible. - + Disable SSH Support for Rhosts RSA Authentication @@ -281014,12 +281030,12 @@ which the system will be deployed as closely as possible. - + - + Limit Users' SSH Access @@ -281036,7 +281052,7 @@ which the system will be deployed as closely as possible. - + Force frequent session key renegotiation @@ -281060,7 +281076,7 @@ which the system will be deployed as closely as possible. - + Set SSH Client Alive Interval @@ -281085,7 +281101,7 @@ which the system will be deployed as closely as possible. - + Set SSH Client Alive Count Max @@ -281096,21 +281112,21 @@ which the system will be deployed as closely as possible. - - - - + + + + - - - - - + + + + + - + Ensure SSH LoginGraceTime is configured @@ -281133,7 +281149,7 @@ which the system will be deployed as closely as possible. - + Set SSH authentication attempt limit @@ -281156,7 +281172,7 @@ which the system will be deployed as closely as possible. - + Set SSH MaxSessions limit @@ -281179,7 +281195,7 @@ which the system will be deployed as closely as possible. - + Ensure SSH MaxStartups is configured @@ -281196,13 +281212,13 @@ which the system will be deployed as closely as possible. - - - + + + - + Use Only FIPS 140-2 Validated Ciphers @@ -281227,7 +281243,7 @@ which the system will be deployed as closely as possible. - + Use Only FIPS 140-2 Validated Key Exchange Algorithms @@ -281252,7 +281268,7 @@ which the system will be deployed as closely as possible. - + Use Only FIPS 140-2 Validated MACs @@ -281277,7 +281293,7 @@ which the system will be deployed as closely as possible. - + Enable Use of Privilege Separation @@ -281295,7 +281311,7 @@ which the system will be deployed as closely as possible. - + Certificate status checking in SSSD @@ -281306,11 +281322,11 @@ which the system will be deployed as closely as possible. - + - + Configure PAM in SSSD Services @@ -281321,11 +281337,11 @@ which the system will be deployed as closely as possible. - + - + Enable Smartcards in SSSD @@ -281342,7 +281358,7 @@ which the system will be deployed as closely as possible. - + Configure SSSD's Memory Cache to Expire @@ -281356,7 +281372,7 @@ which the system will be deployed as closely as possible. - + Configure SSSD to Expire Offline Credentials @@ -281371,7 +281387,7 @@ which the system will be deployed as closely as possible. - + Configure SSSD to run as user sssd @@ -281381,11 +281397,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSSD to Expire SSH Known Hosts @@ -281399,7 +281415,7 @@ which the system will be deployed as closely as possible. - + Configure SSSD LDAP Backend Client CA Certificate Location @@ -281409,11 +281425,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server @@ -281423,11 +281439,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSSD LDAP Backend to Use TLS For All Transactions @@ -281437,11 +281453,11 @@ which the system will be deployed as closely as possible. - + - + Log USBGuard daemon audit events using Linux Audit @@ -281458,7 +281474,7 @@ which the system will be deployed as closely as possible. - + Authorize Human Interface Devices in USBGuard daemon @@ -281472,7 +281488,7 @@ which the system will be deployed as closely as possible. - + Authorize Human Interface Devices and USB hubs in USBGuard daemon @@ -281486,7 +281502,7 @@ which the system will be deployed as closely as possible. - + Authorize USB hubs in USBGuard daemon @@ -281500,7 +281516,7 @@ which the system will be deployed as closely as possible. - + Generate USBGuard Policy @@ -281514,7 +281530,7 @@ which the system will be deployed as closely as possible. - + Disable graphical user interface @@ -281524,14 +281540,14 @@ which the system will be deployed as closely as possible. - + - + Disable X Windows Startup By Setting Default Target @@ -281541,11 +281557,11 @@ which the system will be deployed as closely as possible. - + - + Enable authselect @@ -281555,7 +281571,7 @@ which the system will be deployed as closely as possible. - + @@ -281563,7 +281579,7 @@ which the system will be deployed as closely as possible. - + Modify the System Login Banner @@ -281573,11 +281589,11 @@ which the system will be deployed as closely as possible. - + - + Modify the System Login Banner for Remote Connections @@ -281587,11 +281603,11 @@ which the system will be deployed as closely as possible. - - + + - + Modify the System Message of the Day Banner @@ -281601,11 +281617,11 @@ which the system will be deployed as closely as possible. - + - + Enable GNOME3 Login Warning Banner @@ -281616,7 +281632,7 @@ which the system will be deployed as closely as possible. - + @@ -281624,7 +281640,7 @@ which the system will be deployed as closely as possible. - + Set the GNOME3 Login Warning Banner Text @@ -281635,7 +281651,7 @@ which the system will be deployed as closely as possible. - + @@ -281643,7 +281659,7 @@ which the system will be deployed as closely as possible. - + Disallow Configuration to Bypass Password Requirements for Privilege Escalation @@ -281653,11 +281669,11 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Displays Last Logon/Access Notification @@ -281667,11 +281683,11 @@ which the system will be deployed as closely as possible. - - + + - + Set Up a Private Namespace in PAM Configuration @@ -281681,11 +281697,11 @@ which the system will be deployed as closely as possible. - + - + An SELinux Context must be configured for the pam_faillock.so records directory @@ -281696,11 +281712,11 @@ which the system will be deployed as closely as possible. - - + + - + Account Lockouts Must Be Logged @@ -281710,20 +281726,20 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - + + + + - + Limit Password Reuse: password-auth @@ -281733,21 +281749,21 @@ which the system will be deployed as closely as possible. - - - - - - + + + + + + - - - + + + - + Limit Password Reuse: system-auth @@ -281757,21 +281773,21 @@ which the system will be deployed as closely as possible. - - - - - - + + + + + + - - - + + + - + Limit Password Reuse @@ -281781,24 +281797,24 @@ which the system will be deployed as closely as possible. - - - - - - - + + + + + + + - - - + + + - + - + Account Lockouts Must Be Logged @@ -281808,20 +281824,20 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - + + + + - + Lock Accounts After Failed Password Attempts @@ -281831,34 +281847,34 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - + Configure the root Account for Failed Password Attempts @@ -281869,34 +281885,34 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - + Lock Accounts Must Persist @@ -281906,20 +281922,20 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - + + + + - + Enforce pam_faillock for Local Accounts Only @@ -281929,23 +281945,23 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - + - + Set Interval For Counting Failed Password Attempts @@ -281955,34 +281971,34 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - + Do Not Show System Messages When Unsuccessful Logon Attempts Occur @@ -281992,19 +282008,19 @@ which the system will be deployed as closely as possible. - - - - + + + + - - - - + + + + - + Set Lockout Time for Failed Password Attempts @@ -282014,34 +282030,34 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - + Ensure PAM password complexity module is enabled in password-auth @@ -282051,11 +282067,11 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM password complexity module is enabled in system-auth @@ -282065,11 +282081,11 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session @@ -282079,19 +282095,19 @@ which the system will be deployed as closely as possible. - - + + - + - + Set Password Hashing Algorithm in /etc/libuser.conf @@ -282105,7 +282121,7 @@ which the system will be deployed as closely as possible. - + Set Password Hashing Algorithm in /etc/login.defs @@ -282119,7 +282135,7 @@ which the system will be deployed as closely as possible. - + Set PAM''s Password Hashing Algorithm - password-auth @@ -282133,7 +282149,7 @@ which the system will be deployed as closely as possible. - + Set PAM''s Password Hashing Algorithm @@ -282147,7 +282163,7 @@ which the system will be deployed as closely as possible. - + Set Password Hashing Minimum Rounds in /etc/login.defs @@ -282164,12 +282180,12 @@ which the system will be deployed as closely as possible. - + - + Disable Ctrl-Alt-Del Burst Action @@ -282181,11 +282197,11 @@ which the system will be deployed as closely as possible. - + - + Disable Ctrl-Alt-Del Reboot Activation @@ -282196,11 +282212,11 @@ which the system will be deployed as closely as possible. - + - + Verify that Interactive Boot is Disabled @@ -282212,14 +282228,14 @@ which the system will be deployed as closely as possible. - + - - + + - + Configure Logind to terminate idle sessions after certain time of inactivity @@ -282234,7 +282250,7 @@ which the system will be deployed as closely as possible. - + Require Authentication for Emergency Systemd Target @@ -282248,11 +282264,11 @@ which the system will be deployed as closely as possible. - - + + - + Require Authentication for Single User Mode @@ -282267,7 +282283,7 @@ which the system will be deployed as closely as possible. - + Support session locking with tmux @@ -282281,7 +282297,7 @@ which the system will be deployed as closely as possible. - + Support session locking with tmux (not enforcing) @@ -282295,7 +282311,7 @@ which the system will be deployed as closely as possible. - + Configure tmux to lock session after inactivity @@ -282310,7 +282326,7 @@ which the system will be deployed as closely as possible. - + Configure the tmux Lock Command @@ -282325,7 +282341,7 @@ which the system will be deployed as closely as possible. - + Configure the tmux lock session key binding @@ -282340,7 +282356,7 @@ which the system will be deployed as closely as possible. - + Prevent user from disabling the screen lock @@ -282354,7 +282370,7 @@ which the system will be deployed as closely as possible. - + Configure opensc Smart Card Drivers @@ -282365,11 +282381,11 @@ which the system will be deployed as closely as possible. - - + + - + Force opensc To Use Defined Smart Card Driver @@ -282380,11 +282396,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All Accounts on the System Have Unique User IDs @@ -282394,11 +282410,11 @@ which the system will be deployed as closely as possible. - + - + Only Authorized Local User Accounts Exist on Operating System @@ -282409,11 +282425,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All Groups on the System Have Unique Group ID @@ -282423,11 +282439,11 @@ which the system will be deployed as closely as possible. - + - + Ensure All Groups on the System Have Unique Group Names @@ -282437,11 +282453,11 @@ which the system will be deployed as closely as possible. - + - + Set Account Expiration Following Inactivity @@ -282451,11 +282467,11 @@ which the system will be deployed as closely as possible. - + - + Ensure All Accounts on the System Have Unique Names @@ -282465,11 +282481,11 @@ which the system will be deployed as closely as possible. - + - + Set Password Maximum Age @@ -282479,11 +282495,11 @@ which the system will be deployed as closely as possible. - + - + Set Password Minimum Age @@ -282493,11 +282509,11 @@ which the system will be deployed as closely as possible. - + - + Set Password Minimum Length in login.defs @@ -282511,7 +282527,7 @@ which the system will be deployed as closely as possible. - + Set Existing Passwords Maximum Age @@ -282522,12 +282538,12 @@ which the system will be deployed as closely as possible. - - - + + + - + Set Existing Passwords Minimum Age @@ -282538,12 +282554,12 @@ which the system will be deployed as closely as possible. - - - + + + - + Set Existing Passwords Warning Age @@ -282554,11 +282570,11 @@ which the system will be deployed as closely as possible. - - + + - + Set Password Warning Age @@ -282568,11 +282584,11 @@ which the system will be deployed as closely as possible. - + - + Set existing passwords a period of inactivity before they been locked @@ -282583,11 +282599,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify All Account Password Hashes are Shadowed @@ -282597,11 +282613,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify All Account Password Hashes are Shadowed with SHA512 @@ -282611,11 +282627,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure all users last password change date is in the past @@ -282626,11 +282642,11 @@ which the system will be deployed as closely as possible. - - + + - + Set number of Password Hashing Rounds - password-auth @@ -282648,7 +282664,7 @@ which the system will be deployed as closely as possible. - + Set number of Password Hashing Rounds - system-auth @@ -282666,7 +282682,7 @@ which the system will be deployed as closely as possible. - + All GIDs referenced in /etc/passwd must be defined in /etc/group @@ -282676,11 +282692,11 @@ which the system will be deployed as closely as possible. - + - + Prevent Login to Accounts With Empty Password @@ -282690,11 +282706,11 @@ which the system will be deployed as closely as possible. - + - + Ensure There Are No Accounts With Blank or Null Passwords @@ -282704,11 +282720,11 @@ which the system will be deployed as closely as possible. - + - + Verify No .forward Files Exist @@ -282718,11 +282734,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure there are no legacy + NIS entries in /etc/group @@ -282732,11 +282748,11 @@ which the system will be deployed as closely as possible. - + - + Ensure there are no legacy + NIS entries in /etc/passwd @@ -282746,11 +282762,11 @@ which the system will be deployed as closely as possible. - + - + Ensure there are no legacy + NIS entries in /etc/shadow @@ -282760,11 +282776,11 @@ which the system will be deployed as closely as possible. - + - + Verify No netrc Files Exist @@ -282774,11 +282790,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify Only Root Has UID 0 @@ -282788,11 +282804,11 @@ which the system will be deployed as closely as possible. - + - + Verify Root Has A Primary GID 0 @@ -282802,11 +282818,11 @@ which the system will be deployed as closely as possible. - + - + Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty @@ -282821,7 +282837,7 @@ which the system will be deployed as closely as possible. - + Direct root Logins Not Allowed @@ -282837,7 +282853,7 @@ which the system will be deployed as closely as possible. - + Ensure that System Accounts Are Locked @@ -282847,11 +282863,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure that System Accounts Do Not Run a Shell Upon Login @@ -282869,14 +282885,14 @@ which the system will be deployed as closely as possible. - - + + - + Restrict Serial Port Root Logins @@ -282888,11 +282904,11 @@ which the system will be deployed as closely as possible. - - + + - + Restrict Virtual Console Root Logins @@ -282904,11 +282920,11 @@ which the system will be deployed as closely as possible. - + - + Enforce usage of pam_wheel for su authentication @@ -282922,7 +282938,7 @@ which the system will be deployed as closely as possible. - + Enforce Usage of pam_wheel with Group Parameter for su Authentication @@ -282936,7 +282952,7 @@ which the system will be deployed as closely as possible. - + Ensure Home Directories are Created for New Users @@ -282950,7 +282966,7 @@ which the system will be deployed as closely as possible. - + Ensure the Logon Failure Delay is Set Correctly in login.defs @@ -282961,11 +282977,11 @@ which the system will be deployed as closely as possible. - + - + Limit the Number of Concurrent Login Sessions Allowed Per User @@ -282979,12 +282995,12 @@ which the system will be deployed as closely as possible. - + - + Configure Polyinstantiation of /tmp Directories @@ -282994,12 +283010,12 @@ which the system will be deployed as closely as possible. - + - + Configure Polyinstantiation of /var/tmp Directories @@ -283009,12 +283025,12 @@ which the system will be deployed as closely as possible. - + - + Set Interactive Session Timeout @@ -283030,7 +283046,7 @@ which the system will be deployed as closely as possible. - + User Initialization Files Must Be Group-Owned By The Primary Group @@ -283039,11 +283055,11 @@ which the system will be deployed as closely as possible.User Initialization Files Must Be Group-Owned By The Primary Group - - + + - + User Initialization Files Must Not Run World-Writable Programs @@ -283054,10 +283070,10 @@ which the system will be deployed as closely as possible. - + - + User Initialization Files Must Be Owned By the Primary User @@ -283066,11 +283082,11 @@ which the system will be deployed as closely as possible.User Initialization Files Must Be Owned By the Primary User - - + + - + All Interactive Users Must Have A Home Directory Defined @@ -283080,11 +283096,11 @@ which the system will be deployed as closely as possible. - - + + - + All Interactive Users Home Directories Must Exist @@ -283095,11 +283111,11 @@ which the system will be deployed as closely as possible. - - + + - + All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group @@ -283109,11 +283125,11 @@ which the system will be deployed as closely as possible. - - + + - + All User Files and Directories In The Home Directory Must Have a Valid Owner @@ -283122,11 +283138,11 @@ which the system will be deployed as closely as possible.All User Files and Directories In The Home Directory Must Have a Valid Owner - - + + - + All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive @@ -283137,11 +283153,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure users' .netrc Files are not group or world accessible @@ -283152,11 +283168,11 @@ which the system will be deployed as closely as possible. - - + + - + All Interactive User Home Directories Must Be Group-Owned By The Primary Group @@ -283166,11 +283182,11 @@ which the system will be deployed as closely as possible. - - + + - + All Interactive User Home Directories Must Be Owned By The Primary User @@ -283181,11 +283197,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All User Initialization Files Have Mode 0740 Or Less Permissive @@ -283195,11 +283211,11 @@ which the system will be deployed as closely as possible. - + - + All Interactive User Home Directories Must Have mode 0750 Or Less Permissive @@ -283209,11 +283225,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure that User Home Directories are not Group-Writable or World-Readable @@ -283223,11 +283239,11 @@ which the system will be deployed as closely as possible. - + - + Ensure that Root's Path Does Not Include World or Group-Writable Directories @@ -283238,11 +283254,11 @@ which the system will be deployed as closely as possible. - + - + Ensure that Root's Path Does Not Include Relative Paths or Null Directories @@ -283262,7 +283278,7 @@ which the system will be deployed as closely as possible. - + Ensure the Default Bash Umask is Set Correctly @@ -283277,7 +283293,7 @@ which the system will be deployed as closely as possible. - + Ensure the Default C Shell Umask is Set Correctly @@ -283292,7 +283308,7 @@ which the system will be deployed as closely as possible. - + Ensure the Default Umask is Set Correctly in login.defs @@ -283307,7 +283323,7 @@ which the system will be deployed as closely as possible. - + Ensure the Default Umask is Set Correctly in /etc/profile @@ -283318,11 +283334,11 @@ which the system will be deployed as closely as possible. - + - + Ensure the Default Umask is Set Correctly For Interactive Users @@ -283332,11 +283348,11 @@ which the system will be deployed as closely as possible. - - + + - + Enable Syscall Auditing @@ -283356,7 +283372,7 @@ which the system will be deployed as closely as possible. - + Make the auditd Configuration Immutable @@ -283377,7 +283393,7 @@ which the system will be deployed as closely as possible. - + Configure immutable Audit login UIDs @@ -283398,7 +283414,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify the System's Mandatory Access Controls @@ -283419,7 +283435,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify the System's Mandatory Access Controls in usr/share @@ -283432,16 +283448,16 @@ which the system will be deployed as closely as possible. - - + + - - + + - + Record Events that Modify the System's Network Environment @@ -283473,7 +283489,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to Alter Process and Session Initiation Information @@ -283498,7 +283514,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects System Administrator Actions - /etc/sudoers @@ -283519,7 +283535,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ @@ -283540,7 +283556,7 @@ which the system will be deployed as closely as possible. - + Record Events When Executables Are Run As Another User @@ -283563,7 +283579,7 @@ which the system will be deployed as closely as possible. - + Record Events When Privileged Executables Are Run @@ -283590,7 +283606,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects System Administrator Actions @@ -283613,7 +283629,7 @@ which the system will be deployed as closely as possible. - + Shutdown System When Auditing Failures Occur @@ -283634,7 +283650,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information @@ -283663,7 +283679,7 @@ which the system will be deployed as closely as possible. - + Record Access Events to Audit Log Directory @@ -283684,7 +283700,7 @@ which the system will be deployed as closely as possible. - + System Audit Directories Must Be Group Owned By Root @@ -283695,21 +283711,21 @@ which the system will be deployed as closely as possible. - - + + - + - + - + System Audit Directories Must Be Owned By Root @@ -283720,17 +283736,17 @@ which the system will be deployed as closely as possible. - - + + - + - + System Audit Logs Must Have Mode 0750 or Less Permissive @@ -283741,17 +283757,17 @@ which the system will be deployed as closely as possible. - - - + + + - + - + - + System Audit Logs Must Be Group Owned By Root @@ -283762,14 +283778,14 @@ which the system will be deployed as closely as possible. - - + + - + @@ -283778,7 +283794,7 @@ which the system will be deployed as closely as possible. - + System Audit Logs Must Be Owned By Root @@ -283789,18 +283805,18 @@ which the system will be deployed as closely as possible. - + - + - + System Audit Logs Must Be Owned By Root @@ -283811,17 +283827,17 @@ which the system will be deployed as closely as possible. - - + + - + - + System Audit Logs Must Have Mode 0640 or Less Permissive @@ -283832,17 +283848,17 @@ which the system will be deployed as closely as possible. - - - + + + - + - + - + Record Events that Modify the System's Discretionary Access Controls - umount @@ -283862,7 +283878,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects File Deletion Events by User @@ -283880,7 +283896,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) @@ -283899,7 +283915,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on Kernel Module Loading and Unloading @@ -283915,7 +283931,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on Kernel Module Unloading - create_module @@ -283930,7 +283946,7 @@ which the system will be deployed as closely as possible. - + @@ -283938,13 +283954,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on Kernel Module Unloading - delete_module @@ -283959,7 +283975,7 @@ which the system will be deployed as closely as possible. - + @@ -283967,13 +283983,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module @@ -283988,7 +284004,7 @@ which the system will be deployed as closely as possible. - + @@ -283996,13 +284012,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on Kernel Module Loading - init_module @@ -284017,7 +284033,7 @@ which the system will be deployed as closely as possible. - + @@ -284025,13 +284041,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module @@ -284046,7 +284062,7 @@ which the system will be deployed as closely as possible. - + @@ -284054,13 +284070,13 @@ which the system will be deployed as closely as possible. - + - + Record Attempts to Alter Logon and Logout Events @@ -284076,7 +284092,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands @@ -284088,18 +284104,18 @@ which the system will be deployed as closely as possible. - - - + + + - - - + + + - + Ensure auditd Collects Information on the Use of Privileged Commands - kmod @@ -284120,7 +284136,7 @@ which the system will be deployed as closely as possible. - + Record attempts to alter time through adjtimex @@ -284135,7 +284151,7 @@ which the system will be deployed as closely as possible. - + @@ -284143,13 +284159,13 @@ which the system will be deployed as closely as possible. - + - + Record Attempts to Alter Time Through clock_settime @@ -284164,7 +284180,7 @@ which the system will be deployed as closely as possible. - + @@ -284172,13 +284188,13 @@ which the system will be deployed as closely as possible. - + - + Record attempts to alter time through settimeofday @@ -284193,7 +284209,7 @@ which the system will be deployed as closely as possible. - + @@ -284201,13 +284217,13 @@ which the system will be deployed as closely as possible. - + - + Record Attempts to Alter Time Through stime @@ -284236,7 +284252,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to Alter the localtime File @@ -284257,7 +284273,7 @@ which the system will be deployed as closely as possible. - + Configure audispd Plugin To Send Logs To Remote Server @@ -284267,11 +284283,11 @@ which the system will be deployed as closely as possible. - + - + Configure audispd's Plugin disk_full_action When Disk Is Full @@ -284280,11 +284296,11 @@ which the system will be deployed as closely as possible.remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname - + - + Encrypt Audit Records Sent With audispd Plugin @@ -284294,11 +284310,11 @@ which the system will be deployed as closely as possible. - + - + Configure audispd's Plugin network_failure_action On Network Failure @@ -284307,11 +284323,11 @@ which the system will be deployed as closely as possible.remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname - + - + Configure auditd to use audispd's syslog plugin @@ -284321,11 +284337,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd Disk Error Action on Disk Error @@ -284335,11 +284351,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd Disk Error Action on Disk Error @@ -284354,7 +284370,7 @@ which the system will be deployed as closely as possible. - + Configure auditd Disk Full Action when Disk Space Is Full @@ -284364,11 +284380,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd Disk Full Action when Disk Space Is Full @@ -284383,7 +284399,7 @@ which the system will be deployed as closely as possible. - + Configure auditd mail_acct Action on Low Disk Space @@ -284393,11 +284409,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd admin_space_left Action on Low Disk Space @@ -284407,11 +284423,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd admin_space_left on Low Disk Space @@ -284420,11 +284436,11 @@ which the system will be deployed as closely as possible.admin_space_left setting in /etc/audit/auditd.conf is set to at least a certain value - + - + Configure auditd flush priority @@ -284434,11 +284450,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd Max Log File Size @@ -284448,11 +284464,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd max_log_file_action Upon Reaching Maximum Log Size @@ -284462,11 +284478,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd max_log_file_action Upon Reaching Maximum Log Size @@ -284480,7 +284496,7 @@ which the system will be deployed as closely as possible. - + Configure auditd Number of Logs Retained @@ -284490,11 +284506,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd space_left on Low Disk Space @@ -284504,11 +284520,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd space_left Action on Low Disk Space @@ -284518,11 +284534,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd space_left on Low Disk Space @@ -284532,11 +284548,11 @@ which the system will be deployed as closely as possible. - + - + Set type of computer node name logging in audit logs @@ -284550,7 +284566,7 @@ which the system will be deployed as closely as possible. - + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full @@ -284564,7 +284580,7 @@ which the system will be deployed as closely as possible. - + Configure audit according to OSPP requirements @@ -284581,7 +284597,7 @@ which the system will be deployed as closely as possible. - + Disable Recovery Booting @@ -284592,10 +284608,10 @@ which the system will be deployed as closely as possible. - + - + Configure kernel to trust the CPU random number generator @@ -284608,12 +284624,12 @@ which the system will be deployed as closely as possible. - + - + Set the Boot Loader Admin Username to a Non-Default Value @@ -284627,7 +284643,7 @@ which the system will be deployed as closely as possible. - + Boot Loader Is Not Installed On Removeable Media @@ -284644,7 +284660,7 @@ which the system will be deployed as closely as possible. - + Set Boot Loader Password in grub2 @@ -284658,7 +284674,7 @@ which the system will be deployed as closely as possible. - + Set the UEFI Boot Loader Admin Username to a Non-Default Value @@ -284672,7 +284688,7 @@ which the system will be deployed as closely as possible. - + Set the UEFI Boot Loader Password @@ -284686,7 +284702,7 @@ which the system will be deployed as closely as possible. - + UEFI Boot Loader Is Not Installed On Removeable Media @@ -284703,7 +284719,7 @@ which the system will be deployed as closely as possible. - + Ensure all zIPL boot entries are BLS compliant @@ -284714,10 +284730,10 @@ which the system will be deployed as closely as possible. - + - + Ensure zIPL bootmap is up to date @@ -284728,10 +284744,10 @@ which the system will be deployed as closely as possible. - + - + Ensure debug-shell service is not enabled in zIPL @@ -284741,11 +284757,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure rsyslog Default File Permissions Configured @@ -284756,11 +284772,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure Logwatch HostLimit Line @@ -284773,7 +284789,7 @@ which the system will be deployed as closely as possible. - + Configure Logwatch SplitHosts Line @@ -284782,11 +284798,11 @@ which the system will be deployed as closely as possible.Check if SplitHosts line in logwatch.conf is set appropriately. - + - + Ensure cron Is Logging To Rsyslog @@ -284801,7 +284817,7 @@ which the system will be deployed as closely as possible. - + Ensure Rsyslog Authenticates Off-Loaded Audit Records @@ -284818,7 +284834,7 @@ which the system will be deployed as closely as possible. - + Ensure Rsyslog Encrypts Off-Loaded Audit Records @@ -284835,7 +284851,7 @@ which the system will be deployed as closely as possible. - + Ensure Rsyslog Encrypts Off-Loaded Audit Records @@ -284852,7 +284868,7 @@ which the system will be deployed as closely as possible. - + Ensure logging is configured @@ -284868,7 +284884,7 @@ which the system will be deployed as closely as possible. - + Ensure remote access methods are monitored in Rsyslog @@ -284884,7 +284900,7 @@ which the system will be deployed as closely as possible. - + Ensure Logrotate Runs Periodically @@ -284905,7 +284921,7 @@ which the system will be deployed as closely as possible. - + Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server @@ -284916,11 +284932,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure Logs Sent To Remote Host @@ -284935,7 +284951,7 @@ which the system will be deployed as closely as possible. - + Configure TLS for rsyslog remote logging @@ -284949,7 +284965,7 @@ which the system will be deployed as closely as possible. - + Configure CA certificate for rsyslog remote logging @@ -284963,7 +284979,7 @@ which the system will be deployed as closely as possible. - + Configure Multiple DNS Servers in /etc/resolv.conf @@ -284980,12 +284996,12 @@ which the system will be deployed as closely as possible. - + - + Disable Client Dynamic DNS Updates @@ -285001,7 +285017,7 @@ which the system will be deployed as closely as possible. - + Disable Zeroconf Networking @@ -285011,11 +285027,11 @@ which the system will be deployed as closely as possible. - + - + Prevent non-Privileged Users from Modifying Network Interfaces using nmcli @@ -285025,11 +285041,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure System is Not Acting as a Network Sniffer @@ -285039,25 +285055,11 @@ which the system will be deployed as closely as possible. - - - - - - - Set Default firewalld Zone for Incoming Packets - - Red Hat Enterprise Linux 8 - - Change the default firewalld zone to drop. - - - - - + + - + Manually Assign IPv6 Router Address @@ -285071,7 +285073,7 @@ which the system will be deployed as closely as possible. - + Use Privacy Extensions for Address @@ -285085,7 +285087,7 @@ which the system will be deployed as closely as possible. - + Manually Assign Global IPv6 Address @@ -285100,7 +285102,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Networking Support Automatic Loading @@ -285110,11 +285112,11 @@ which the system will be deployed as closely as possible. - - + + - + Disable Support for RPC IPv6 @@ -285128,7 +285130,7 @@ which the system will be deployed as closely as possible. - + Deactivate Wireless Network Interfaces @@ -285138,11 +285140,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All World-Writable Directories Are Owned by root User @@ -285152,11 +285154,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify that All World-Writable Directories Have Sticky Bits Set @@ -285166,11 +285168,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All World-Writable Directories Are Owned by a System Account @@ -285179,11 +285181,11 @@ which the system will be deployed as closely as possible.All world writable directories should be owned by a system user. - + - + Ensure All World-Writable Directories Are Group Owned by a System Account @@ -285193,11 +285195,11 @@ which the system will be deployed as closely as possible. - + - + Verify that local System.map file (if exists) is readable only by root @@ -285223,7 +285225,7 @@ which the system will be deployed as closely as possible. - + @@ -285237,11 +285239,11 @@ which the system will be deployed as closely as possible. - + - + Ensure No World-Writable Files Exist @@ -285251,11 +285253,11 @@ which the system will be deployed as closely as possible. - + - + Ensure All Files Are Owned by a Group @@ -285265,11 +285267,11 @@ which the system will be deployed as closely as possible. - + - + Ensure All Files Are Owned by a User @@ -285279,11 +285281,11 @@ which the system will be deployed as closely as possible. - + - + Verify that system commands files are group owned by root or a system account @@ -285296,11 +285298,11 @@ which the system will be deployed as closely as possible. - + - + Verify that System Executables Have Root Ownership @@ -285318,7 +285320,7 @@ which the system will be deployed as closely as possible. - + Verify that System Executables Have Restrictive Permissions @@ -285335,7 +285337,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Support for USB via Bootloader Configuration @@ -285348,7 +285350,7 @@ which the system will be deployed as closely as possible. - + Add nodev Option to Non-Root Local Partitions @@ -285362,11 +285364,11 @@ which the system will be deployed as closely as possible. - - + + - + Bind Mount /var/tmp To /tmp @@ -285386,7 +285388,7 @@ which the system will be deployed as closely as possible. - + Disable core dump backtraces @@ -285401,7 +285403,7 @@ which the system will be deployed as closely as possible. - + Disable storing core dump @@ -285416,7 +285418,7 @@ which the system will be deployed as closely as possible. - + Disable Core Dumps for All Users @@ -285429,12 +285431,12 @@ which the system will be deployed as closely as possible. - + - + Set Daemon Umask @@ -285448,7 +285450,7 @@ which the system will be deployed as closely as possible. - + Enable ExecShield via sysctl @@ -285465,7 +285467,7 @@ which the system will be deployed as closely as possible. - + Enable NX or XD Support in the BIOS @@ -285480,7 +285482,7 @@ which the system will be deployed as closely as possible. - + Install PAE Kernel on Supported 32-bit x86 Systems @@ -285492,9 +285494,9 @@ which the system will be deployed as closely as possible. - + - + @@ -285503,7 +285505,7 @@ which the system will be deployed as closely as possible. - + Ensure SELinux Not Disabled in /etc/default/grub @@ -285516,12 +285518,12 @@ which the system will be deployed as closely as possible. - - - + + + - + Ensure No Device Files are Unlabeled by SELinux @@ -285536,7 +285538,7 @@ which the system will be deployed as closely as possible. - + Ensure No Daemons are Unconfined by SELinux @@ -285546,11 +285548,11 @@ which the system will be deployed as closely as possible. - + - + Ensure SELinux is Not Disabled @@ -285561,10 +285563,10 @@ which the system will be deployed as closely as possible. - + - + Configure SELinux Policy @@ -285574,11 +285576,11 @@ which the system will be deployed as closely as possible. - + - + Ensure SELinux State is Enforcing @@ -285592,7 +285594,7 @@ which the system will be deployed as closely as possible. - + Prefer to use a 64-bit Operating System when supported @@ -285607,10 +285609,10 @@ which the system will be deployed as closely as possible. - + - + Make sure that the dconf databases are up-to-date with regards to respective keyfiles @@ -285621,7 +285623,7 @@ which the system will be deployed as closely as possible. - + @@ -285634,7 +285636,7 @@ which the system will be deployed as closely as possible. - + Configure GNOME3 DConf User Profile @@ -285644,11 +285646,11 @@ which the system will be deployed as closely as possible. - + - + Disable the GNOME3 Login Restart and Shutdown Buttons @@ -285658,7 +285660,7 @@ which the system will be deployed as closely as possible. - + @@ -285666,7 +285668,7 @@ which the system will be deployed as closely as possible. - + Disable the GNOME3 Login User List @@ -285677,7 +285679,7 @@ which the system will be deployed as closely as possible. - + @@ -285685,7 +285687,7 @@ which the system will be deployed as closely as possible. - + Enable the GNOME3 Login Smartcard Authentication @@ -285695,7 +285697,7 @@ which the system will be deployed as closely as possible. - + @@ -285703,7 +285705,7 @@ which the system will be deployed as closely as possible. - + Set the GNOME3 Login Number of Failures @@ -285714,7 +285716,7 @@ which the system will be deployed as closely as possible. - + @@ -285722,7 +285724,7 @@ which the system will be deployed as closely as possible. - + Disable GDM Automatic Login @@ -285734,11 +285736,11 @@ which the system will be deployed as closely as possible. - + - + Disable GDM Guest Login @@ -285750,11 +285752,11 @@ which the system will be deployed as closely as possible. - + - + Disable XDMCP in GDM @@ -285771,7 +285773,7 @@ which the system will be deployed as closely as possible. - + Disable GNOME3 automount @@ -285784,7 +285786,7 @@ which the system will be deployed as closely as possible. - + @@ -285792,7 +285794,7 @@ which the system will be deployed as closely as possible. - + Disable GNOME3 automount-open @@ -285805,7 +285807,7 @@ which the system will be deployed as closely as possible. - + @@ -285813,7 +285815,7 @@ which the system will be deployed as closely as possible. - + Disable GNOME3 autorun @@ -285826,7 +285828,7 @@ which the system will be deployed as closely as possible. - + @@ -285834,7 +285836,7 @@ which the system will be deployed as closely as possible. - + Disable All GNOME3 Thumbnailers @@ -285847,7 +285849,7 @@ which the system will be deployed as closely as possible. - + @@ -285855,7 +285857,7 @@ which the system will be deployed as closely as possible. - + Disable WIFI Network Connection Creation in GNOME3 @@ -285865,7 +285867,7 @@ which the system will be deployed as closely as possible. - + @@ -285873,7 +285875,7 @@ which the system will be deployed as closely as possible. - + Disable WIFI Network Notification in GNOME3 @@ -285883,7 +285885,7 @@ which the system will be deployed as closely as possible. - + @@ -285891,7 +285893,7 @@ which the system will be deployed as closely as possible. - + Require Credential Prompting for Remote Access in GNOME3 @@ -285902,7 +285904,7 @@ which the system will be deployed as closely as possible. - + @@ -285910,7 +285912,7 @@ which the system will be deployed as closely as possible. - + Require Encryption for Remote Access in GNOME3 @@ -285921,7 +285923,7 @@ which the system will be deployed as closely as possible. - + @@ -285929,7 +285931,7 @@ which the system will be deployed as closely as possible. - + Enable GNOME3 Screensaver Idle Activation @@ -285940,7 +285942,7 @@ which the system will be deployed as closely as possible. - + @@ -285948,7 +285950,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Cannot Change GNOME3 Screensaver Idle Activation @@ -285959,14 +285961,14 @@ which the system will be deployed as closely as possible. - + - + Set GNOME3 Screensaver Inactivity Timeout @@ -285977,7 +285979,7 @@ which the system will be deployed as closely as possible. - + @@ -285985,7 +285987,7 @@ which the system will be deployed as closely as possible. - + Set GNOME3 Screensaver Lock Delay After Activation Period @@ -285997,7 +285999,7 @@ which the system will be deployed as closely as possible. - + @@ -286005,7 +286007,7 @@ which the system will be deployed as closely as possible. - + Enable GNOME3 Screensaver Lock After Idle Period @@ -286016,7 +286018,7 @@ which the system will be deployed as closely as possible. - + @@ -286024,7 +286026,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period @@ -286035,14 +286037,14 @@ which the system will be deployed as closely as possible. - + - + Implement Blank Screensaver @@ -286053,7 +286055,7 @@ which the system will be deployed as closely as possible. - + @@ -286061,7 +286063,7 @@ which the system will be deployed as closely as possible. - + Disable Full User Name on Splash Shield @@ -286072,7 +286074,7 @@ which the system will be deployed as closely as possible. - + @@ -286080,7 +286082,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Cannot Change GNOME3 Screensaver Settings @@ -286091,14 +286093,14 @@ which the system will be deployed as closely as possible. - + - + Ensure Users Cannot Change GNOME3 Session Idle Settings @@ -286109,14 +286111,14 @@ which the system will be deployed as closely as possible. - + - + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 @@ -286127,7 +286129,7 @@ which the system will be deployed as closely as possible. - + @@ -286135,7 +286137,7 @@ which the system will be deployed as closely as possible. - + Disable Geolocation in GNOME3 @@ -286145,7 +286147,7 @@ which the system will be deployed as closely as possible. - + @@ -286155,7 +286157,7 @@ which the system will be deployed as closely as possible. - + Disable Power Settings in GNOME3 @@ -286165,7 +286167,7 @@ which the system will be deployed as closely as possible. - + @@ -286173,7 +286175,7 @@ which the system will be deployed as closely as possible. - + The Installed Operating System Is FIPS 140-2 Certified @@ -286197,7 +286199,7 @@ which the system will be deployed as closely as possible. - + The Installed Operating System Is Vendor Supported @@ -286219,7 +286221,7 @@ which the system will be deployed as closely as possible. - + Configure BIND to use System Crypto Policy @@ -286231,10 +286233,10 @@ which the system will be deployed as closely as possible. - + - + Configure System Cryptography Policy @@ -286251,7 +286253,7 @@ which the system will be deployed as closely as possible. - + Configure GnuTLS library to use DoD-approved TLS Encryption @@ -286261,11 +286263,11 @@ which the system will be deployed as closely as possible. - + - + Configure Kerberos to use System Crypto Policy @@ -286275,12 +286277,12 @@ which the system will be deployed as closely as possible. - + - + Configure Libreswan to use System Crypto Policy @@ -286291,11 +286293,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure OpenSSL library to use System Crypto Policy @@ -286305,11 +286307,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure OpenSSL library to use TLS Encryption @@ -286320,14 +286322,14 @@ which the system will be deployed as closely as possible. - + - - + + - + Configure SSH to use System Crypto Policy @@ -286337,11 +286339,11 @@ which the system will be deployed as closely as possible. - - + + - + Harden OpenSSL Crypto Policy @@ -286355,7 +286357,7 @@ which the system will be deployed as closely as possible. - + Harden SSH client Crypto Policy @@ -286375,7 +286377,7 @@ which the system will be deployed as closely as possible. - + Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config @@ -286385,11 +286387,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config @@ -286399,11 +286401,11 @@ which the system will be deployed as closely as possible. - + - + Harden SSHD Crypto Policy @@ -286427,7 +286429,7 @@ which the system will be deployed as closely as possible. - + Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config @@ -286437,11 +286439,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config @@ -286451,11 +286453,11 @@ which the system will be deployed as closely as possible. - + - + OpenSSL uses strong entropy source @@ -286465,11 +286467,11 @@ which the system will be deployed as closely as possible. - - + + - + Install Virus Scanning Software @@ -286479,11 +286481,11 @@ which the system will be deployed as closely as possible. - + - + Install Intrusion Detection Software @@ -286498,7 +286500,7 @@ which the system will be deployed as closely as possible. - + Install McAfee Virus Scanning Software @@ -286512,7 +286514,7 @@ which the system will be deployed as closely as possible. - + Install the McAfee Runtime Libraries and Linux Agent @@ -286526,7 +286528,7 @@ which the system will be deployed as closely as possible. - + Virus Scanning Software Definitions Are Updated @@ -286535,11 +286537,11 @@ which the system will be deployed as closely as possible.Verify that McAfee AntiVirus definitions have been updated. - + - + Ensure McAfee Endpoint Security for Linux (ENSL) is running @@ -286549,11 +286551,11 @@ which the system will be deployed as closely as possible. - + - + Install the Asset Configuration Compliance Module (ACCM) @@ -286562,11 +286564,11 @@ which the system will be deployed as closely as possible.Install the Asset Configuration Compliance Module (ACCM). - + - + Install the Policy Auditor (PA) Module @@ -286575,11 +286577,11 @@ which the system will be deployed as closely as possible.Install the Policy Auditor (PA) Module. - + - + Enable Dracut FIPS Module @@ -286593,7 +286595,7 @@ which the system will be deployed as closely as possible. - + Enable FIPS Mode @@ -286604,26 +286606,26 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - + + - - + + - + - + Ensure '/etc/system-fips' exists @@ -286633,10 +286635,10 @@ which the system will be deployed as closely as possible. - + - + Set kernel parameter 'crypto.fips_enabled' to 1 @@ -286650,7 +286652,7 @@ which the system will be deployed as closely as possible. - + Build and Test AIDE Database @@ -286665,7 +286667,7 @@ which the system will be deployed as closely as possible. - + Configure AIDE to Verify the Audit Tools @@ -286686,7 +286688,7 @@ which the system will be deployed as closely as possible. - + Configure Periodic Execution of AIDE @@ -286709,7 +286711,7 @@ which the system will be deployed as closely as possible. - + Configure Notification of Post-AIDE Scan Details @@ -286729,7 +286731,7 @@ which the system will be deployed as closely as possible. - + Configure AIDE to Use FIPS 140-2 for Validating Hashes @@ -286746,7 +286748,7 @@ which the system will be deployed as closely as possible. - + Configure AIDE to Verify Access Control Lists (ACLs) @@ -286761,7 +286763,7 @@ which the system will be deployed as closely as possible. - + Configure AIDE to Verify Extended Attributes @@ -286776,7 +286778,7 @@ which the system will be deployed as closely as possible. - + Verify File Hashes with RPM @@ -286786,11 +286788,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify and Correct Ownership with RPM @@ -286804,11 +286806,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify and Correct File Permissions with RPM @@ -286821,11 +286823,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure a dedicated group owns sudo @@ -286835,12 +286837,12 @@ which the system will be deployed as closely as possible. - + - + Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate @@ -286855,7 +286857,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD @@ -286870,7 +286872,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Re-Authenticate for Privilege Escalation - sudo @@ -286885,7 +286887,7 @@ which the system will be deployed as closely as possible. - + Require Re-Authentication When Using the sudo Command @@ -286900,7 +286902,7 @@ which the system will be deployed as closely as possible. - + The operating system must restrict privilege elevation to authorized personnel @@ -286915,7 +286917,7 @@ which the system will be deployed as closely as possible. - + Only the VDSM User Can Use sudo NOPASSWD @@ -286930,7 +286932,7 @@ which the system will be deployed as closely as possible. - + Ensure sudo only includes the default configuration directory @@ -286953,7 +286955,7 @@ which the system will be deployed as closely as possible. - + Explicit arguments in sudo specifications @@ -286967,7 +286969,7 @@ which the system will be deployed as closely as possible. - + Don't define allowed commands in sudoers by means of exclusion @@ -286981,7 +286983,7 @@ which the system will be deployed as closely as possible. - + Don't target root user in the sudoers file @@ -286996,7 +286998,7 @@ which the system will be deployed as closely as possible. - + Ensure invoking users password for privilege escalation when using sudo @@ -287015,7 +287017,7 @@ which the system will be deployed as closely as possible. - + Ensure yum Removes Previous Package Versions @@ -287026,11 +287028,11 @@ which the system will be deployed as closely as possible. - + - + Configure dnf-automatic to Install Available Updates Automatically @@ -287047,7 +287049,7 @@ which the system will be deployed as closely as possible. - + Configure dnf-automatic to Install Only Security Updates @@ -287064,7 +287066,7 @@ which the system will be deployed as closely as possible. - + Ensure gpgcheck Enabled In Main yum Configuration @@ -287080,7 +287082,7 @@ which the system will be deployed as closely as possible. - + Ensure gpgcheck Enabled for Local Packages @@ -287092,11 +287094,11 @@ which the system will be deployed as closely as possible. - + - + Ensure gpgcheck Enabled for All yum Package Repositories @@ -287110,7 +287112,7 @@ which the system will be deployed as closely as possible. - + Ensure gpgcheck Enabled for Repository Metadata @@ -287121,11 +287123,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Red Hat GPG Key Installed @@ -287151,7 +287153,7 @@ which the system will be deployed as closely as possible. - + Ensure PAM Enforces Password Requirements - Minimum Digit Characters @@ -287161,14 +287163,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words @@ -287178,14 +287180,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Different Characters @@ -287195,14 +287197,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only @@ -287212,12 +287214,12 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Enforce for root User @@ -287227,12 +287229,12 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters @@ -287242,14 +287244,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class @@ -287259,14 +287261,14 @@ which the system will be deployed as closely as possible. - + - + Set Password Maximum Consecutive Repeating Characters @@ -287276,14 +287278,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Different Categories @@ -287293,14 +287295,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Length @@ -287310,14 +287312,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Special Characters @@ -287327,14 +287329,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters @@ -287344,14 +287346,14 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful file accesses @@ -287361,11 +287363,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful file accesses @@ -287375,11 +287377,11 @@ which the system will be deployed as closely as possible. - + - + Configure basic parameters of Audit system @@ -287389,11 +287391,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful file creations @@ -287403,11 +287405,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful file creations @@ -287417,11 +287419,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful file deletions @@ -287431,11 +287433,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful file deletions @@ -287445,11 +287447,11 @@ which the system will be deployed as closely as possible. - + - + Configure immutable Audit login UIDs @@ -287459,11 +287461,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful file modifications @@ -287473,11 +287475,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful file modifications @@ -287487,11 +287489,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of loading and unloading of kernel modules @@ -287501,11 +287503,11 @@ which the system will be deployed as closely as possible. - + - + Perform general configuration of Audit for OSPP @@ -287515,11 +287517,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful ownership changes @@ -287529,11 +287531,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful ownership changes @@ -287543,11 +287545,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful permission changes @@ -287557,11 +287559,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful permission changes @@ -287571,11 +287573,11 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on the Use of Privileged Commands - init @@ -287595,7 +287597,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - poweroff @@ -287615,7 +287617,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - reboot @@ -287635,7 +287637,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - shutdown @@ -287655,7 +287657,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify the System's Discretionary Access Controls - chmod @@ -287670,7 +287672,7 @@ which the system will be deployed as closely as possible. - + @@ -287678,13 +287680,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - chown @@ -287699,7 +287701,7 @@ which the system will be deployed as closely as possible. - + @@ -287707,13 +287709,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fchmod @@ -287728,7 +287730,7 @@ which the system will be deployed as closely as possible. - + @@ -287736,13 +287738,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fchmodat @@ -287757,7 +287759,7 @@ which the system will be deployed as closely as possible. - + @@ -287765,13 +287767,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fchown @@ -287786,7 +287788,7 @@ which the system will be deployed as closely as possible. - + @@ -287794,13 +287796,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fchownat @@ -287815,7 +287817,7 @@ which the system will be deployed as closely as possible. - + @@ -287823,13 +287825,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fremovexattr @@ -287845,7 +287847,7 @@ which the system will be deployed as closely as possible. - + @@ -287855,14 +287857,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fsetxattr @@ -287878,7 +287880,7 @@ which the system will be deployed as closely as possible. - + @@ -287888,14 +287890,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - lchown @@ -287910,7 +287912,7 @@ which the system will be deployed as closely as possible. - + @@ -287918,13 +287920,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - lremovexattr @@ -287940,7 +287942,7 @@ which the system will be deployed as closely as possible. - + @@ -287950,14 +287952,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - lsetxattr @@ -287973,7 +287975,7 @@ which the system will be deployed as closely as possible. - + @@ -287983,14 +287985,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - removexattr @@ -288006,7 +288008,7 @@ which the system will be deployed as closely as possible. - + @@ -288016,14 +288018,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - setxattr @@ -288039,7 +288041,7 @@ which the system will be deployed as closely as possible. - + @@ -288049,14 +288051,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - umount2 @@ -288071,7 +288073,7 @@ which the system will be deployed as closely as possible. - + @@ -288079,13 +288081,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open syscall - /etc/group @@ -288100,7 +288102,7 @@ which the system will be deployed as closely as possible. - + @@ -288108,13 +288110,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group @@ -288129,7 +288131,7 @@ which the system will be deployed as closely as possible. - + @@ -288137,13 +288139,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via openat syscall - /etc/group @@ -288158,7 +288160,7 @@ which the system will be deployed as closely as possible. - + @@ -288166,13 +288168,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open syscall - /etc/gshadow @@ -288187,7 +288189,7 @@ which the system will be deployed as closely as possible. - + @@ -288195,13 +288197,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow @@ -288216,7 +288218,7 @@ which the system will be deployed as closely as possible. - + @@ -288224,13 +288226,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow @@ -288245,7 +288247,7 @@ which the system will be deployed as closely as possible. - + @@ -288253,13 +288255,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open syscall - /etc/passwd @@ -288274,7 +288276,7 @@ which the system will be deployed as closely as possible. - + @@ -288282,13 +288284,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd @@ -288303,7 +288305,7 @@ which the system will be deployed as closely as possible. - + @@ -288311,13 +288313,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via openat syscall - /etc/passwd @@ -288332,7 +288334,7 @@ which the system will be deployed as closely as possible. - + @@ -288340,13 +288342,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open syscall - /etc/shadow @@ -288361,7 +288363,7 @@ which the system will be deployed as closely as possible. - + @@ -288369,13 +288371,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow @@ -288390,7 +288392,7 @@ which the system will be deployed as closely as possible. - + @@ -288398,13 +288400,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via openat syscall - /etc/shadow @@ -288419,7 +288421,7 @@ which the system will be deployed as closely as possible. - + @@ -288427,13 +288429,13 @@ which the system will be deployed as closely as possible. - + - + Record Any Attempts to Run chacl @@ -288454,7 +288456,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run chcon @@ -288475,7 +288477,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run restorecon @@ -288496,7 +288498,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run semanage @@ -288517,7 +288519,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run setfacl @@ -288538,7 +288540,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run setfiles @@ -288559,7 +288561,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run setsebool @@ -288580,7 +288582,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run seunshare @@ -288601,7 +288603,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects File Deletion Events by User - rename @@ -288616,7 +288618,7 @@ which the system will be deployed as closely as possible. - + @@ -288624,13 +288626,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects File Deletion Events by User - renameat @@ -288645,7 +288647,7 @@ which the system will be deployed as closely as possible. - + @@ -288653,13 +288655,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects File Deletion Events by User - rmdir @@ -288674,7 +288676,7 @@ which the system will be deployed as closely as possible. - + @@ -288682,13 +288684,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects File Deletion Events by User - unlink @@ -288703,7 +288705,7 @@ which the system will be deployed as closely as possible. - + @@ -288711,13 +288713,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects File Deletion Events by User - unlinkat @@ -288732,7 +288734,7 @@ which the system will be deployed as closely as possible. - + @@ -288740,13 +288742,13 @@ which the system will be deployed as closely as possible. - + - + Record Attempts to Alter Logon and Logout Events - faillock @@ -288767,7 +288769,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to Alter Logon and Logout Events - lastlog @@ -288788,7 +288790,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to Alter Logon and Logout Events - tallylog @@ -288809,7 +288811,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on Exporting to Media (successful) @@ -288824,7 +288826,7 @@ which the system will be deployed as closely as possible. - + @@ -288832,13 +288834,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on the Use of Privileged Commands - at @@ -288859,7 +288861,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - chage @@ -288880,7 +288882,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - chsh @@ -288901,7 +288903,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - crontab @@ -288922,7 +288924,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd @@ -288943,7 +288945,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - mount @@ -288964,7 +288966,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap @@ -288985,7 +288987,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp @@ -289006,7 +289008,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap @@ -289027,7 +289029,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check @@ -289048,7 +289050,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - passwd @@ -289069,7 +289071,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - postdrop @@ -289090,7 +289092,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - postqueue @@ -289111,7 +289113,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown @@ -289132,7 +289134,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run ssh-agent @@ -289153,7 +289155,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign @@ -289174,7 +289176,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - su @@ -289195,7 +289197,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - sudo @@ -289216,7 +289218,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit @@ -289237,7 +289239,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - umount @@ -289258,7 +289260,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd @@ -289279,7 +289281,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - unix_update @@ -289300,7 +289302,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper @@ -289321,7 +289323,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - usermod @@ -289342,7 +289344,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl @@ -289363,7 +289365,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - chmod @@ -289379,7 +289381,7 @@ which the system will be deployed as closely as possible. - + @@ -289391,7 +289393,7 @@ which the system will be deployed as closely as possible. - + @@ -289400,7 +289402,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Ownership Changes to Files - chown @@ -289416,7 +289418,7 @@ which the system will be deployed as closely as possible. - + @@ -289428,7 +289430,7 @@ which the system will be deployed as closely as possible. - + @@ -289437,7 +289439,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - creat @@ -289453,7 +289455,7 @@ which the system will be deployed as closely as possible. - + @@ -289465,7 +289467,7 @@ which the system will be deployed as closely as possible. - + @@ -289474,7 +289476,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - fchmod @@ -289490,7 +289492,7 @@ which the system will be deployed as closely as possible. - + @@ -289502,7 +289504,7 @@ which the system will be deployed as closely as possible. - + @@ -289511,7 +289513,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - fchmodat @@ -289527,7 +289529,7 @@ which the system will be deployed as closely as possible. - + @@ -289539,7 +289541,7 @@ which the system will be deployed as closely as possible. - + @@ -289548,7 +289550,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Ownership Changes to Files - fchown @@ -289564,7 +289566,7 @@ which the system will be deployed as closely as possible. - + @@ -289576,7 +289578,7 @@ which the system will be deployed as closely as possible. - + @@ -289585,7 +289587,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Ownership Changes to Files - fchownat @@ -289601,7 +289603,7 @@ which the system will be deployed as closely as possible. - + @@ -289613,7 +289615,7 @@ which the system will be deployed as closely as possible. - + @@ -289622,7 +289624,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - fremovexattr @@ -289638,7 +289640,7 @@ which the system will be deployed as closely as possible. - + @@ -289650,7 +289652,7 @@ which the system will be deployed as closely as possible. - + @@ -289659,7 +289661,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - fsetxattr @@ -289675,7 +289677,7 @@ which the system will be deployed as closely as possible. - + @@ -289687,7 +289689,7 @@ which the system will be deployed as closely as possible. - + @@ -289696,7 +289698,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - ftruncate @@ -289712,7 +289714,7 @@ which the system will be deployed as closely as possible. - + @@ -289724,7 +289726,7 @@ which the system will be deployed as closely as possible. - + @@ -289733,7 +289735,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Ownership Changes to Files - lchown @@ -289749,7 +289751,7 @@ which the system will be deployed as closely as possible. - + @@ -289761,7 +289763,7 @@ which the system will be deployed as closely as possible. - + @@ -289770,7 +289772,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - lremovexattr @@ -289786,7 +289788,7 @@ which the system will be deployed as closely as possible. - + @@ -289798,7 +289800,7 @@ which the system will be deployed as closely as possible. - + @@ -289807,7 +289809,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - lsetxattr @@ -289823,7 +289825,7 @@ which the system will be deployed as closely as possible. - + @@ -289835,7 +289837,7 @@ which the system will be deployed as closely as possible. - + @@ -289844,7 +289846,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - open @@ -289860,7 +289862,7 @@ which the system will be deployed as closely as possible. - + @@ -289872,7 +289874,7 @@ which the system will be deployed as closely as possible. - + @@ -289881,7 +289883,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - open_by_handle_at @@ -289897,7 +289899,7 @@ which the system will be deployed as closely as possible. - + @@ -289909,7 +289911,7 @@ which the system will be deployed as closely as possible. - + @@ -289918,7 +289920,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT @@ -289934,7 +289936,7 @@ which the system will be deployed as closely as possible. - + @@ -289946,7 +289948,7 @@ which the system will be deployed as closely as possible. - + @@ -289955,7 +289957,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE @@ -289971,7 +289973,7 @@ which the system will be deployed as closely as possible. - + @@ -289983,7 +289985,7 @@ which the system will be deployed as closely as possible. - + @@ -289992,7 +289994,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly @@ -290008,7 +290010,7 @@ which the system will be deployed as closely as possible. - + @@ -290020,7 +290022,7 @@ which the system will be deployed as closely as possible. - + @@ -290029,7 +290031,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Creation Attempts to Files - open O_CREAT @@ -290045,7 +290047,7 @@ which the system will be deployed as closely as possible. - + @@ -290057,7 +290059,7 @@ which the system will be deployed as closely as possible. - + @@ -290066,7 +290068,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE @@ -290082,7 +290084,7 @@ which the system will be deployed as closely as possible. - + @@ -290094,7 +290096,7 @@ which the system will be deployed as closely as possible. - + @@ -290103,7 +290105,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly @@ -290119,7 +290121,7 @@ which the system will be deployed as closely as possible. - + @@ -290131,7 +290133,7 @@ which the system will be deployed as closely as possible. - + @@ -290140,7 +290142,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - openat @@ -290156,7 +290158,7 @@ which the system will be deployed as closely as possible. - + @@ -290168,7 +290170,7 @@ which the system will be deployed as closely as possible. - + @@ -290177,7 +290179,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Creation Attempts to Files - openat O_CREAT @@ -290193,7 +290195,7 @@ which the system will be deployed as closely as possible. - + @@ -290205,7 +290207,7 @@ which the system will be deployed as closely as possible. - + @@ -290214,7 +290216,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE @@ -290230,7 +290232,7 @@ which the system will be deployed as closely as possible. - + @@ -290242,7 +290244,7 @@ which the system will be deployed as closely as possible. - + @@ -290251,7 +290253,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly @@ -290267,7 +290269,7 @@ which the system will be deployed as closely as possible. - + @@ -290279,7 +290281,7 @@ which the system will be deployed as closely as possible. - + @@ -290288,7 +290290,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - removexattr @@ -290304,7 +290306,7 @@ which the system will be deployed as closely as possible. - + @@ -290316,7 +290318,7 @@ which the system will be deployed as closely as possible. - + @@ -290325,7 +290327,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Delete Attempts to Files - rename @@ -290341,7 +290343,7 @@ which the system will be deployed as closely as possible. - + @@ -290353,7 +290355,7 @@ which the system will be deployed as closely as possible. - + @@ -290362,7 +290364,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Delete Attempts to Files - renameat @@ -290378,7 +290380,7 @@ which the system will be deployed as closely as possible. - + @@ -290390,7 +290392,7 @@ which the system will be deployed as closely as possible. - + @@ -290399,7 +290401,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - setxattr @@ -290415,7 +290417,7 @@ which the system will be deployed as closely as possible. - + @@ -290427,7 +290429,7 @@ which the system will be deployed as closely as possible. - + @@ -290436,7 +290438,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - truncate @@ -290452,7 +290454,7 @@ which the system will be deployed as closely as possible. - + @@ -290464,7 +290466,7 @@ which the system will be deployed as closely as possible. - + @@ -290473,7 +290475,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Delete Attempts to Files - unlink @@ -290489,7 +290491,7 @@ which the system will be deployed as closely as possible. - + @@ -290501,7 +290503,7 @@ which the system will be deployed as closely as possible. - + @@ -290510,7 +290512,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Delete Attempts to Files - unlinkat @@ -290526,7 +290528,7 @@ which the system will be deployed as closely as possible. - + @@ -290538,7 +290540,7 @@ which the system will be deployed as closely as possible. - + @@ -290547,7 +290549,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/group @@ -290568,7 +290570,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/gshadow @@ -290589,7 +290591,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/security/opasswd @@ -290610,7 +290612,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/passwd @@ -290631,7 +290633,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/shadow @@ -290652,7 +290654,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to perform maintenance activities @@ -290673,7 +290675,7 @@ which the system will be deployed as closely as possible. - + Set number of records to cause an explicit flush to audit logs @@ -290687,7 +290689,7 @@ which the system will be deployed as closely as possible. - + Include Local Events in Audit Logs @@ -290701,7 +290703,7 @@ which the system will be deployed as closely as possible. - + Resolve information before writing to audit logs @@ -290715,7 +290717,7 @@ which the system will be deployed as closely as possible. - + Write Audit Logs to the Disk @@ -290730,7 +290732,7 @@ which the system will be deployed as closely as possible. - + Ensure SELinux Not Disabled in the kernel arguments @@ -290743,18 +290745,18 @@ which the system will be deployed as closely as possible. - + - + - + - + Disable User Administration in GNOME3 @@ -290769,7 +290771,7 @@ which the system will be deployed as closely as possible. - + Enable the GNOME3 Screen Locking On Smartcard Removal @@ -290784,7 +290786,7 @@ which the system will be deployed as closely as possible. - + Verify that Shared Library Directories Have Root Group Ownership @@ -290794,14 +290796,14 @@ which the system will be deployed as closely as possible. - + - + Verify that System Executable Have Root Ownership @@ -290810,7 +290812,7 @@ which the system will be deployed as closely as possible.This test makes sure that /bin/, /sbin/, /usr/bin/, /usr/sbin/, /usr/local/bin/, /usr/local/sbin/ is owned by 0. - + @@ -290819,7 +290821,7 @@ which the system will be deployed as closely as possible. - + Verify that Shared Library Directories Have Root Ownership @@ -290829,14 +290831,14 @@ which the system will be deployed as closely as possible. - + - + Verify that System Executable Directories Have Restrictive Permissions @@ -290847,7 +290849,7 @@ which the system will be deployed as closely as possible. - + @@ -290856,7 +290858,7 @@ which the system will be deployed as closely as possible. - + Verify that Shared Library Directories Have Restrictive Permissions @@ -290868,14 +290870,14 @@ which the system will be deployed as closely as possible. - + - + Disable Host-Based Authentication @@ -290902,7 +290904,7 @@ which the system will be deployed as closely as possible. - + Ensure that /etc/at.deny does not exist @@ -290912,11 +290914,11 @@ which the system will be deployed as closely as possible. - + - + Audit Tools Must Be Group-owned by Root @@ -290926,7 +290928,7 @@ which the system will be deployed as closely as possible. - + @@ -290936,7 +290938,7 @@ which the system will be deployed as closely as possible. - + Audit Tools Must Be Owned by Root @@ -290946,7 +290948,7 @@ which the system will be deployed as closely as possible. - + @@ -290956,7 +290958,7 @@ which the system will be deployed as closely as possible. - + Audit Tools Must Have a Mode of 0755 or Less Permissive @@ -290968,7 +290970,7 @@ which the system will be deployed as closely as possible. - + @@ -290978,7 +290980,7 @@ which the system will be deployed as closely as possible. - + Ensure that /etc/cron.deny does not exist @@ -290988,11 +290990,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /etc/at.allow file @@ -291002,11 +291004,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Backup group File @@ -291016,11 +291018,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Backup gshadow File @@ -291030,11 +291032,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Backup passwd File @@ -291044,11 +291046,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns Backup shadow File @@ -291058,11 +291060,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /etc/cron.allow file @@ -291072,11 +291074,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.d @@ -291086,11 +291088,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.daily @@ -291100,11 +291102,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.hourly @@ -291114,11 +291116,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.monthly @@ -291128,11 +291130,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.weekly @@ -291142,11 +291144,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Crontab @@ -291156,11 +291158,11 @@ which the system will be deployed as closely as possible. - + - + Verify the UEFI Boot Loader grub.cfg Group Ownership @@ -291170,11 +291172,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/efi/EFI/redhat/user.cfg Group Ownership @@ -291184,11 +291186,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns group File @@ -291198,11 +291200,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns gshadow File @@ -291212,11 +291214,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Ownership of System Login Banner @@ -291226,11 +291228,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Ownership of System Login Banner for Remote Connections @@ -291240,11 +291242,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Ownership of Message of the Day Banner @@ -291254,11 +291256,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns passwd File @@ -291268,11 +291270,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns shadow File @@ -291282,11 +291284,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/grub.cfg Group Ownership @@ -291296,11 +291298,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns SSH Server config file @@ -291310,11 +291312,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/user.cfg Group Ownership @@ -291324,11 +291326,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /var/log Directory @@ -291338,11 +291340,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /var/log/messages File @@ -291352,11 +291354,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /var/log/syslog File @@ -291365,11 +291367,11 @@ which the system will be deployed as closely as possible.This test makes sure that /var/log/syslog is group owned by 4. - + - + Verify that audit tools are owned by group root @@ -291379,7 +291381,7 @@ which the system will be deployed as closely as possible. - + @@ -291389,7 +291391,7 @@ which the system will be deployed as closely as possible. - + Audit Configuration Files Must Be Owned By Group root @@ -291398,12 +291400,12 @@ which the system will be deployed as closely as possible.This test makes sure that /etc/audit/, /etc/audit/rules.d/ is group owned by 0. - + - + Verify Group Ownership on SSH Server Private *_key Key Files @@ -291413,11 +291415,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Ownership on SSH Server Public *.pub Key Files @@ -291427,11 +291429,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns Backup group File @@ -291441,11 +291443,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns Backup gshadow File @@ -291455,11 +291457,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns Backup passwd File @@ -291469,11 +291471,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Backup shadow File @@ -291483,11 +291485,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns /etc/cron.allow file @@ -291497,11 +291499,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.d @@ -291511,11 +291513,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.daily @@ -291525,11 +291527,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.hourly @@ -291539,11 +291541,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.monthly @@ -291553,11 +291555,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.weekly @@ -291567,11 +291569,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on crontab @@ -291581,11 +291583,11 @@ which the system will be deployed as closely as possible. - + - + Verify the UEFI Boot Loader grub.cfg User Ownership @@ -291595,11 +291597,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/efi/EFI/redhat/user.cfg User Ownership @@ -291609,11 +291611,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns group File @@ -291623,11 +291625,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns gshadow File @@ -291637,11 +291639,11 @@ which the system will be deployed as closely as possible. - + - + Verify ownership of System Login Banner @@ -291651,11 +291653,11 @@ which the system will be deployed as closely as possible. - + - + Verify ownership of System Login Banner for Remote Connections @@ -291665,11 +291667,11 @@ which the system will be deployed as closely as possible. - + - + Verify ownership of Message of the Day Banner @@ -291679,11 +291681,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns passwd File @@ -291693,11 +291695,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns shadow File @@ -291707,11 +291709,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/grub.cfg User Ownership @@ -291721,11 +291723,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on SSH Server config file @@ -291735,11 +291737,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/user.cfg User Ownership @@ -291749,11 +291751,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns /var/log Directory @@ -291763,11 +291765,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns /var/log/messages File @@ -291777,11 +291779,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns /var/log/syslog File @@ -291790,11 +291792,11 @@ which the system will be deployed as closely as possible.This test makes sure that /var/log/syslog is owned by 104. - + - + Verify that audit tools are owned by root @@ -291804,7 +291806,7 @@ which the system will be deployed as closely as possible. - + @@ -291814,7 +291816,7 @@ which the system will be deployed as closely as possible. - + Audit Configuration Files Must Be Owned By Root @@ -291823,12 +291825,12 @@ which the system will be deployed as closely as possible.This test makes sure that /etc/audit/, /etc/audit/rules.d/ is owned by 0. - + - + Verify that Shared Library Files Have Root Ownership @@ -291838,14 +291840,14 @@ which the system will be deployed as closely as possible. - + - + Verify Ownership on SSH Server Private *_key Key Files @@ -291855,11 +291857,11 @@ which the system will be deployed as closely as possible. - + - + Verify Ownership on SSH Server Public *.pub Key Files @@ -291869,11 +291871,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /etc/at.allow file @@ -291885,11 +291887,11 @@ which the system will be deployed as closely as possible. - + - + Verify that audit tools Have Mode 0755 or less @@ -291901,7 +291903,7 @@ which the system will be deployed as closely as possible. - + @@ -291911,7 +291913,7 @@ which the system will be deployed as closely as possible. - + Audit Configuration Files Permissions are 640 or More Restrictive @@ -291922,12 +291924,12 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on Backup group File @@ -291939,11 +291941,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on Backup gshadow File @@ -291955,11 +291957,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on Backup passwd File @@ -291971,11 +291973,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on Backup shadow File @@ -291987,11 +291989,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /etc/cron.allow file @@ -292003,11 +292005,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.d @@ -292019,11 +292021,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.daily @@ -292035,11 +292037,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.hourly @@ -292051,11 +292053,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.monthly @@ -292067,11 +292069,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.weekly @@ -292083,11 +292085,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on crontab @@ -292099,11 +292101,11 @@ which the system will be deployed as closely as possible. - + - + Verify the UEFI Boot Loader grub.cfg Permissions @@ -292115,11 +292117,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/efi/EFI/redhat/user.cfg Permissions @@ -292131,11 +292133,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /etc/audit/auditd.conf @@ -292147,11 +292149,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /etc/audit/rules.d/*.rules @@ -292163,11 +292165,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on group File @@ -292179,11 +292181,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on gshadow File @@ -292195,11 +292197,11 @@ which the system will be deployed as closely as possible. - + - + Verify permissions on System Login Banner @@ -292211,11 +292213,11 @@ which the system will be deployed as closely as possible. - + - + Verify permissions on System Login Banner for Remote Connections @@ -292227,11 +292229,11 @@ which the system will be deployed as closely as possible. - + - + Verify permissions on Message of the Day Banner @@ -292243,11 +292245,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on passwd File @@ -292259,11 +292261,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on shadow File @@ -292275,11 +292277,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/grub.cfg Permissions @@ -292291,11 +292293,11 @@ which the system will be deployed as closely as possible. - + - + Verify that Shared Library Files Have Restrictive Permissions @@ -292307,14 +292309,14 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on SSH Server config file @@ -292326,11 +292328,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on SSH Server Public *.pub Key Files @@ -292342,11 +292344,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/user.cfg Permissions @@ -292358,11 +292360,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /var/log Directory @@ -292374,11 +292376,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /var/log/messages File @@ -292390,11 +292392,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /var/log/syslog File @@ -292405,11 +292407,11 @@ which the system will be deployed as closely as possible. - + - + Configure Firewalld to Use the Nftables Backend @@ -292423,7 +292425,7 @@ which the system will be deployed as closely as possible. - + Enable Auditing for Processes Which Start Prior to the Audit Daemon @@ -292435,20 +292437,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Extend Audit Backlog Limit for the Audit Daemon @@ -292460,20 +292462,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + IOMMU configuration directive @@ -292485,20 +292487,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Ensure IPv6 is disabled through kernel boot parameter @@ -292510,20 +292512,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Configure L1 Terminal Fault mitigations @@ -292535,20 +292537,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Force kernel panic on uncorrected MCEs @@ -292560,20 +292562,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Ensure SMAP is not disabled during boot @@ -292585,20 +292587,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Ensure SMEP is not disabled during boot @@ -292610,20 +292612,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Enable page allocator poisoning @@ -292635,20 +292637,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Enable Kernel Page-Table Isolation (KPTI) @@ -292660,20 +292662,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Configure the confidence in TPM for entropy @@ -292685,20 +292687,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Disable merging of slabs with similar size @@ -292710,20 +292712,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Enable SLUB/SLAB allocator poisoning @@ -292735,20 +292737,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Configure Speculative Store Bypass Mitigation @@ -292760,20 +292762,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Enforce Spectre v2 mitigation @@ -292785,20 +292787,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Ensure debug-shell service is not enabled during boot @@ -292809,20 +292811,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Disable vsyscalls @@ -292834,20 +292836,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Install Smart Card Packages For Multifactor Authentication @@ -292857,11 +292859,11 @@ which the system will be deployed as closely as possible. - + - + Ensure journald is configured to compress large log files @@ -292875,7 +292877,7 @@ which the system will be deployed as closely as possible. - + Ensure journald is configured to send logs to rsyslog @@ -292889,7 +292891,7 @@ which the system will be deployed as closely as possible. - + Ensure journald is configured to write log files to persistent disk @@ -292903,7 +292905,7 @@ which the system will be deployed as closely as possible. - + Do not allow ACPI methods to be inserted/replaced at run time @@ -292921,7 +292923,7 @@ which the system will be deployed as closely as possible. - + Emulate Privileged Access Never (PAN) @@ -292938,7 +292940,7 @@ which the system will be deployed as closely as possible. - + Disable kernel support for MISC binaries @@ -292956,7 +292958,7 @@ which the system will be deployed as closely as possible. - + Enable support for BUG() @@ -292973,7 +292975,7 @@ which the system will be deployed as closely as possible. - + Trigger a kernel BUG when data corruption is detected @@ -292990,7 +292992,7 @@ which the system will be deployed as closely as possible. - + Disable compatibility with brk() @@ -293008,7 +293010,7 @@ which the system will be deployed as closely as possible. - + Disable the 32-bit vDSO @@ -293026,7 +293028,7 @@ which the system will be deployed as closely as possible. - + Enable checks on credential management @@ -293043,7 +293045,7 @@ which the system will be deployed as closely as possible. - + Disable kernel debugfs @@ -293061,7 +293063,7 @@ which the system will be deployed as closely as possible. - + Enable checks on linked list manipulation @@ -293078,7 +293080,7 @@ which the system will be deployed as closely as possible. - + Enable checks on notifier call chains @@ -293095,7 +293097,7 @@ which the system will be deployed as closely as possible. - + Enable checks on scatter-gather (SG) table operations @@ -293112,7 +293114,7 @@ which the system will be deployed as closely as possible. - + Warn on W+X mappings found at boot @@ -293129,7 +293131,7 @@ which the system will be deployed as closely as possible. - + Configure low address space to protect from user allocation @@ -293146,7 +293148,7 @@ which the system will be deployed as closely as possible. - + Disable /dev/kmem virtual device support @@ -293164,7 +293166,7 @@ which the system will be deployed as closely as possible. - + Harden common str/mem functions against buffer overflows @@ -293181,7 +293183,7 @@ which the system will be deployed as closely as possible. - + Generate some entropy during boot and runtime @@ -293198,7 +293200,7 @@ which the system will be deployed as closely as possible. - + Force initialization of variables containing userspace addresses @@ -293215,7 +293217,7 @@ which the system will be deployed as closely as possible. - + Harden memory copies between kernel and userspace @@ -293232,7 +293234,7 @@ which the system will be deployed as closely as possible. - + Do not allow usercopy whitelist violations to fallback to object size @@ -293250,7 +293252,7 @@ which the system will be deployed as closely as possible. - + Disable hibernation @@ -293268,7 +293270,7 @@ which the system will be deployed as closely as possible. - + Disable IA32 emulation @@ -293286,7 +293288,7 @@ which the system will be deployed as closely as possible. - + Disable the IPv6 protocol @@ -293304,7 +293306,7 @@ which the system will be deployed as closely as possible. - + Disable kexec system call @@ -293322,7 +293324,7 @@ which the system will be deployed as closely as possible. - + Disable legacy (BSD) PTY support @@ -293340,7 +293342,7 @@ which the system will be deployed as closely as possible. - + Disable vsyscall emulation @@ -293358,7 +293360,7 @@ which the system will be deployed as closely as possible. - + Disable vsyscall mapping @@ -293375,7 +293377,7 @@ which the system will be deployed as closely as possible. - + Disable the LDT (local descriptor table) @@ -293393,7 +293395,7 @@ which the system will be deployed as closely as possible. - + Enable module signature verification @@ -293410,7 +293412,7 @@ which the system will be deployed as closely as possible. - + Enable automatic signing of all modules @@ -293427,7 +293429,7 @@ which the system will be deployed as closely as possible. - + Require modules to be validly signed @@ -293444,7 +293446,7 @@ which the system will be deployed as closely as possible. - + Specify the hash to use when signing modules @@ -293461,7 +293463,7 @@ which the system will be deployed as closely as possible. - + Specify module signing key to use @@ -293478,7 +293480,7 @@ which the system will be deployed as closely as possible. - + Sign kernel modules with SHA-512 @@ -293495,7 +293497,7 @@ which the system will be deployed as closely as possible. - + Enable poison of pages after freeing @@ -293512,7 +293514,7 @@ which the system will be deployed as closely as possible. - + Enable poison without sanity check @@ -293529,7 +293531,7 @@ which the system will be deployed as closely as possible. - + Use zero for poisoning instead of debugging value @@ -293546,7 +293548,7 @@ which the system will be deployed as closely as possible. - + Remove the kernel mapping in user mode @@ -293563,7 +293565,7 @@ which the system will be deployed as closely as possible. - + Kernel panic oops @@ -293580,7 +293582,7 @@ which the system will be deployed as closely as possible. - + Kernel panic timeout @@ -293597,7 +293599,7 @@ which the system will be deployed as closely as possible. - + Disable support for /proc/kkcore @@ -293615,7 +293617,7 @@ which the system will be deployed as closely as possible. - + Randomize the address of the kernel image (KASLR) @@ -293632,7 +293634,7 @@ which the system will be deployed as closely as possible. - + Randomize the kernel memory sections @@ -293649,7 +293651,7 @@ which the system will be deployed as closely as possible. - + Perform full reference count validation @@ -293666,7 +293668,7 @@ which the system will be deployed as closely as possible. - + Avoid speculative indirect branches in kernel @@ -293683,7 +293685,7 @@ which the system will be deployed as closely as possible. - + Detect stack corruption on calls to schedule() @@ -293700,7 +293702,7 @@ which the system will be deployed as closely as possible. - + Enable seccomp to safely compute untrusted bytecode @@ -293717,7 +293719,7 @@ which the system will be deployed as closely as possible. - + Enable use of Berkeley Packet Filter with seccomp @@ -293734,7 +293736,7 @@ which the system will be deployed as closely as possible. - + Enable different security models @@ -293751,7 +293753,7 @@ which the system will be deployed as closely as possible. - + Restrict unprivileged access to the kernel syslog @@ -293769,7 +293771,7 @@ which the system will be deployed as closely as possible. - + Disable mutable hooks @@ -293786,7 +293788,7 @@ which the system will be deployed as closely as possible. - + Enable Yama support @@ -293803,7 +293805,7 @@ which the system will be deployed as closely as possible. - + Harden slab freelist metadata @@ -293820,7 +293822,7 @@ which the system will be deployed as closely as possible. - + Randomize slab freelist @@ -293837,7 +293839,7 @@ which the system will be deployed as closely as possible. - + Disallow merge of slab caches @@ -293855,7 +293857,7 @@ which the system will be deployed as closely as possible. - + Enable SLUB debugging support @@ -293872,7 +293874,7 @@ which the system will be deployed as closely as possible. - + Stack Protector buffer overlow detection @@ -293889,7 +293891,7 @@ which the system will be deployed as closely as possible. - + Strong Stack Protector @@ -293906,7 +293908,7 @@ which the system will be deployed as closely as possible. - + Make the kernel text and rodata read-only @@ -293923,7 +293925,7 @@ which the system will be deployed as closely as possible. - + Make the module text and rodata read-only @@ -293940,7 +293942,7 @@ which the system will be deployed as closely as possible. - + Enable TCP/IP syncookie support @@ -293957,7 +293959,7 @@ which the system will be deployed as closely as possible. - + Unmap kernel when running in userspace (aka KAISER) @@ -293974,7 +293976,7 @@ which the system will be deployed as closely as possible. - + User a virtually-mapped stack @@ -293991,7 +293993,7 @@ which the system will be deployed as closely as possible. - + Disable x86 vsyscall emulation @@ -294009,7 +294011,7 @@ which the system will be deployed as closely as possible. - + Disable ATM Support @@ -294021,12 +294023,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Bluetooth Kernel Module @@ -294038,12 +294040,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable CAN Support @@ -294055,12 +294057,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Kernel cfg80211 Module @@ -294071,12 +294073,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of cramfs @@ -294088,12 +294090,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable DCCP Support @@ -294105,12 +294107,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable IEEE 1394 (FireWire) Support @@ -294122,12 +294124,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of freevxfs @@ -294138,12 +294140,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of hfs @@ -294154,12 +294156,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of hfsplus @@ -294170,12 +294172,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Kernel iwlmvm Module @@ -294186,12 +294188,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Kernel iwlwifi Module @@ -294202,12 +294204,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of jffs2 @@ -294218,12 +294220,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Kernel mac80211 Module @@ -294234,12 +294236,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable RDS Support @@ -294251,12 +294253,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable SCTP Support @@ -294268,12 +294270,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of squashfs @@ -294285,12 +294287,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable TIPC Support @@ -294302,12 +294304,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of udf @@ -294319,12 +294321,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Modprobe Loading of USB Storage Driver @@ -294336,12 +294338,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable the uvcvideo module @@ -294353,12 +294355,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of vFAT filesystems @@ -294370,12 +294372,12 @@ which the system will be deployed as closely as possible. - - + + - + Add nosuid Option to /boot/efi @@ -294388,15 +294390,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noauto Option to /boot @@ -294409,15 +294411,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /boot @@ -294430,15 +294432,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /boot @@ -294451,15 +294453,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /boot @@ -294472,15 +294474,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /dev/shm @@ -294493,14 +294495,14 @@ which the system will be deployed as closely as possible. - + - + Add noexec Option to /dev/shm @@ -294513,14 +294515,14 @@ which the system will be deployed as closely as possible. - + - + Add nosuid Option to /dev/shm @@ -294533,14 +294535,14 @@ which the system will be deployed as closely as possible. - + - + Add grpquota Option to /home @@ -294553,15 +294555,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /home @@ -294574,15 +294576,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /home @@ -294595,15 +294597,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /home @@ -294616,15 +294618,15 @@ which the system will be deployed as closely as possible. - + - + - + Add usrquota Option to /home @@ -294637,15 +294639,15 @@ which the system will be deployed as closely as possible. - + - + - + Mount Remote Filesystems with Kerberos Security @@ -294659,7 +294661,7 @@ which the system will be deployed as closely as possible. - + Mount Remote Filesystems with nodev @@ -294674,7 +294676,7 @@ which the system will be deployed as closely as possible. - + Add nodev Option to Removable Media Partitions @@ -294689,14 +294691,14 @@ which the system will be deployed as closely as possible. - - + + - + - + Mount Remote Filesystems with noexec @@ -294711,7 +294713,7 @@ which the system will be deployed as closely as possible. - + Add noexec Option to Removable Media Partitions @@ -294726,14 +294728,14 @@ which the system will be deployed as closely as possible. - - + + - + - + Mount Remote Filesystems with nosuid @@ -294748,7 +294750,7 @@ which the system will be deployed as closely as possible. - + Add nosuid Option to Removable Media Partitions @@ -294763,14 +294765,14 @@ which the system will be deployed as closely as possible. - - + + - + - + Add nosuid Option to /opt @@ -294783,15 +294785,15 @@ which the system will be deployed as closely as possible. - + - + - + Add hidepid Option to /proc @@ -294804,14 +294806,14 @@ which the system will be deployed as closely as possible. - + - + Add nosuid Option to /srv @@ -294824,15 +294826,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /tmp @@ -294845,15 +294847,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /tmp @@ -294866,15 +294868,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /tmp @@ -294887,15 +294889,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /var/log/audit @@ -294908,15 +294910,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /var/log/audit @@ -294929,15 +294931,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /var/log/audit @@ -294950,15 +294952,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /var/log @@ -294971,15 +294973,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /var/log @@ -294992,15 +294994,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /var/log @@ -295013,15 +295015,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /var @@ -295034,15 +295036,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /var @@ -295055,15 +295057,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /var @@ -295076,15 +295078,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /var/tmp @@ -295097,15 +295099,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /var/tmp @@ -295118,15 +295120,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /var/tmp @@ -295139,15 +295141,15 @@ which the system will be deployed as closely as possible. - + - + - + package_GConf2_installed @@ -295156,11 +295158,11 @@ which the system will be deployed as closely as possible.The RPM package GConf2 should be installed. - + - + Install the Host Intrusion Prevention System (HIPS) Module @@ -295169,11 +295171,11 @@ which the system will be deployed as closely as possible.The RPM package MFEhiplsm should be installed. - + - + Uninstall abrt-addon-ccpp Package @@ -295183,11 +295185,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-addon-kerneloops Package @@ -295197,11 +295199,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-cli Package @@ -295211,11 +295213,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-plugin-logger Package @@ -295225,11 +295227,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-plugin-rhtsupport Package @@ -295239,11 +295241,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-plugin-sosreport Package @@ -295253,11 +295255,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall Automatic Bug Reporting Tool (abrt) @@ -295267,11 +295269,11 @@ which the system will be deployed as closely as possible. - + - + Install AIDE @@ -295281,11 +295283,11 @@ which the system will be deployed as closely as possible. - + - + Install audispd-plugins Package @@ -295295,11 +295297,11 @@ which the system will be deployed as closely as possible. - + - + Ensure the default plugins for the audit dispatcher are Installed @@ -295308,11 +295310,11 @@ which the system will be deployed as closely as possible.The RPM package audit-audispd-plugins should be installed. - + - + Ensure the audit Subsystem is Installed @@ -295322,11 +295324,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall avahi-autoipd Server Package @@ -295336,11 +295338,11 @@ which the system will be deployed as closely as possible. - + - + package_avahi_installed @@ -295349,11 +295351,11 @@ which the system will be deployed as closely as possible.The RPM package avahi should be installed. - + - + Uninstall avahi Server Package @@ -295363,11 +295365,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall bind Package @@ -295377,11 +295379,11 @@ which the system will be deployed as closely as possible. - + - + Install binutils Package @@ -295391,11 +295393,11 @@ which the system will be deployed as closely as possible. - + - + The Chrony package is installed @@ -295405,11 +295407,11 @@ which the system will be deployed as closely as possible. - + - + Install the cron service @@ -295418,11 +295420,11 @@ which the system will be deployed as closely as possible.The RPM package cron should be installed. - + - + Install crypto-policies package @@ -295432,11 +295434,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall CUPS Package @@ -295446,11 +295448,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall cyrus-imapd Package @@ -295460,11 +295462,11 @@ which the system will be deployed as closely as possible. - + - + package_dconf_installed @@ -295473,11 +295475,11 @@ which the system will be deployed as closely as possible.The RPM package dconf should be installed. - + - + Uninstall DHCP Server Package @@ -295487,11 +295489,11 @@ which the system will be deployed as closely as possible. - + - + Install dnf-automatic Package @@ -295501,11 +295503,11 @@ which the system will be deployed as closely as possible. - + - + Install dnf-plugin-subscription-manager Package @@ -295515,11 +295517,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall dovecot Package @@ -295529,11 +295531,11 @@ which the system will be deployed as closely as possible. - + - + package_esc_installed @@ -295542,11 +295544,11 @@ which the system will be deployed as closely as possible.The RPM package esc should be installed. - + - + Install fapolicyd Package @@ -295556,11 +295558,11 @@ which the system will be deployed as closely as possible. - + - + Install firewalld Package @@ -295570,11 +295572,11 @@ which the system will be deployed as closely as possible. - + - + Remove the FreeRadius Server Package @@ -295584,11 +295586,11 @@ which the system will be deployed as closely as possible. - + - + package_gdm_installed @@ -295597,11 +295599,11 @@ which the system will be deployed as closely as possible.The RPM package gdm should be installed. - + - + Remove the GDM Package Group @@ -295611,11 +295613,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall geolite2-city Package @@ -295625,11 +295627,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall geolite2-country Package @@ -295639,11 +295641,11 @@ which the system will be deployed as closely as possible. - + - + Ensure gnutls-utils is installed @@ -295653,11 +295655,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall gssproxy Package @@ -295667,11 +295669,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall httpd Package @@ -295681,11 +295683,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall the inet-based telnet server @@ -295694,11 +295696,11 @@ which the system will be deployed as closely as possible.The RPM package inetutils-telnetd should be removed. - + - + Uninstall iprutils Package @@ -295708,11 +295710,11 @@ which the system will be deployed as closely as possible. - + - + Install iptables-services Package @@ -295722,11 +295724,11 @@ which the system will be deployed as closely as possible. - + - + Remove iptables-services Package @@ -295736,11 +295738,11 @@ which the system will be deployed as closely as possible. - + - + Install iptables Package @@ -295750,11 +295752,11 @@ which the system will be deployed as closely as possible. - + - + Remove the Kerberos Server Package @@ -295764,11 +295766,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall krb5-workstation Package @@ -295778,11 +295780,11 @@ which the system will be deployed as closely as possible. - + - + Install libcap-ng-utils Package @@ -295792,11 +295794,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall libreport-plugin-logger Package @@ -295806,11 +295808,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall libreport-plugin-rhtsupport Package @@ -295820,11 +295822,11 @@ which the system will be deployed as closely as possible. - + - + Install libreswan Package @@ -295834,11 +295836,11 @@ which the system will be deployed as closely as possible. - + - + Install libselinux Package @@ -295848,11 +295850,11 @@ which the system will be deployed as closely as possible. - + - + Ensure logrotate is Installed @@ -295862,11 +295864,11 @@ which the system will be deployed as closely as possible. - + - + The mailx Package Is Installed @@ -295876,11 +295878,11 @@ which the system will be deployed as closely as possible. - + - + Install McAfee Endpoint Security for Linux (ENSL) @@ -295890,11 +295892,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall mcstrans Package @@ -295904,11 +295906,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall net-snmp Package @@ -295918,11 +295920,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall nfs-utils Package @@ -295932,11 +295934,11 @@ which the system will be deployed as closely as possible. - + - + Install nftables Package @@ -295946,11 +295948,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall nginx Package @@ -295960,11 +295962,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall the nis package @@ -295973,11 +295975,11 @@ which the system will be deployed as closely as possible.The RPM package nis should be removed. - + - + Ensure nss-tools is installed @@ -295987,11 +295989,11 @@ which the system will be deployed as closely as possible. - + - + Install the ntp service @@ -296000,11 +296002,11 @@ which the system will be deployed as closely as possible.The RPM package ntp should be installed. - + - + Uninstall the ntpdate package @@ -296013,11 +296015,11 @@ which the system will be deployed as closely as possible.The RPM package ntpdate should be removed. - + - + Ensure LDAP client is not installed @@ -296027,11 +296029,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall openldap-servers Package @@ -296041,11 +296043,11 @@ which the system will be deployed as closely as possible. - + - + Install the opensc Package For Multifactor Authentication @@ -296055,11 +296057,11 @@ which the system will be deployed as closely as possible. - + - + Install openscap-scanner Package @@ -296069,11 +296071,11 @@ which the system will be deployed as closely as possible. - + - + Install OpenSSH client software @@ -296083,11 +296085,11 @@ which the system will be deployed as closely as possible. - + - + Install the OpenSSH Server Package @@ -296097,11 +296099,11 @@ which the system will be deployed as closely as possible. - + - + Remove the OpenSSH Server Package @@ -296110,11 +296112,11 @@ which the system will be deployed as closely as possible.The RPM package openssh-server should be removed. - + - + package_pam_ldap_removed @@ -296123,11 +296125,11 @@ which the system will be deployed as closely as possible.The RPM package pam_ldap should be removed. - + - + Install pam_pwquality Package @@ -296136,11 +296138,11 @@ which the system will be deployed as closely as possible.The RPM package libpwquality should be installed. - + - + Install the pcsc-lite package @@ -296150,11 +296152,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall pigz Package @@ -296164,11 +296166,11 @@ which the system will be deployed as closely as possible. - + - + Install policycoreutils-python-utils package @@ -296178,11 +296180,11 @@ which the system will be deployed as closely as possible. - + - + Install policycoreutils Package @@ -296192,11 +296194,11 @@ which the system will be deployed as closely as possible. - + - + The Postfix package is installed @@ -296206,11 +296208,11 @@ which the system will be deployed as closely as possible. - + - + package_prelink_removed @@ -296219,11 +296221,11 @@ which the system will be deployed as closely as possible.The RPM package prelink should be removed. - + - + Install the psacct package @@ -296233,11 +296235,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall python3-abrt-addon Package @@ -296247,11 +296249,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall quagga Package @@ -296261,11 +296263,11 @@ which the system will be deployed as closely as possible. - + - + Install rear Package @@ -296275,11 +296277,11 @@ which the system will be deployed as closely as possible. - + - + Install rng-tools Package @@ -296289,11 +296291,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall rpcbind Package @@ -296303,11 +296305,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall rsh-server Package @@ -296317,11 +296319,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall rsh Package @@ -296331,11 +296333,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall rsync Package @@ -296345,11 +296347,11 @@ which the system will be deployed as closely as possible. - + - + Ensure rsyslog-gnutls is installed @@ -296359,11 +296361,11 @@ which the system will be deployed as closely as possible. - + - + Ensure rsyslog is Installed @@ -296373,11 +296375,11 @@ which the system will be deployed as closely as possible. - + - + Install the Samba Common Package @@ -296386,11 +296388,11 @@ which the system will be deployed as closely as possible.The RPM package samba-common should be installed. - + - + package_samba-common_removed @@ -296399,11 +296401,11 @@ which the system will be deployed as closely as possible.The RPM package samba-common should be removed. - + - + Uninstall Samba Package @@ -296413,11 +296415,11 @@ which the system will be deployed as closely as possible. - + - + Install scap-security-guide Package @@ -296427,11 +296429,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall Sendmail Package @@ -296441,11 +296443,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall setroubleshoot-plugins Package @@ -296455,11 +296457,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall setroubleshoot-server Package @@ -296469,11 +296471,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall setroubleshoot Package @@ -296483,11 +296485,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall squid Package @@ -296497,11 +296499,11 @@ which the system will be deployed as closely as possible. - + - + Install sssd-ipa Package @@ -296511,11 +296513,11 @@ which the system will be deployed as closely as possible. - + - + Install the SSSD Package @@ -296525,11 +296527,11 @@ which the system will be deployed as closely as possible. - + - + Install subscription-manager Package @@ -296539,11 +296541,11 @@ which the system will be deployed as closely as possible. - + - + Install sudo Package @@ -296553,11 +296555,11 @@ which the system will be deployed as closely as possible. - + - + Ensure syslog-ng is Installed @@ -296566,11 +296568,11 @@ which the system will be deployed as closely as possible.The RPM package syslog-ng should be installed. - + - + Install systemd-journal-remote Package @@ -296579,11 +296581,11 @@ which the system will be deployed as closely as possible.The RPM package systemd-journal-remote should be installed. - + - + Uninstall talk-server Package @@ -296593,11 +296595,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall talk Package @@ -296607,11 +296609,11 @@ which the system will be deployed as closely as possible. - + - + Install tar Package @@ -296621,11 +296623,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall telnet-server Package @@ -296635,11 +296637,11 @@ which the system will be deployed as closely as possible. - + - + Remove telnet Clients @@ -296649,11 +296651,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall the ssl compliant telnet server @@ -296662,11 +296664,11 @@ which the system will be deployed as closely as possible.The RPM package telnetd-ssl should be removed. - + - + Uninstall the telnet server @@ -296676,11 +296678,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall tftp-server Package @@ -296690,11 +296692,11 @@ which the system will be deployed as closely as possible. - + - + Remove tftp Daemon @@ -296704,11 +296706,11 @@ which the system will be deployed as closely as possible. - + - + Install the tmux Package @@ -296718,11 +296720,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall tuned Package @@ -296732,11 +296734,11 @@ which the system will be deployed as closely as possible. - + - + Install usbguard Package @@ -296746,11 +296748,11 @@ which the system will be deployed as closely as possible. - + - + Install vim Package @@ -296760,11 +296762,11 @@ which the system will be deployed as closely as possible. - + - + Install vsftpd Package @@ -296774,11 +296776,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall vsftpd Package @@ -296788,11 +296790,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall xinetd Package @@ -296802,11 +296804,11 @@ which the system will be deployed as closely as possible. - + - + Remove the X Windows Package Group @@ -296816,11 +296818,11 @@ which the system will be deployed as closely as possible. - + - + Remove NIS Client @@ -296830,11 +296832,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall ypserv Package @@ -296844,11 +296846,11 @@ which the system will be deployed as closely as possible. - + - + Ensure /boot Located On Separate Partition @@ -296862,11 +296864,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /dev/shm is configured @@ -296880,11 +296882,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /home Located On Separate Partition @@ -296898,11 +296900,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /opt Located On Separate Partition @@ -296916,11 +296918,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /srv Located On Separate Partition @@ -296934,11 +296936,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /tmp Located On Separate Partition @@ -296952,11 +296954,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /usr Located On Separate Partition @@ -296970,11 +296972,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /var Located On Separate Partition @@ -296988,11 +296990,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /var/log Located On Separate Partition @@ -297006,11 +297008,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /var/log/audit Located On Separate Partition @@ -297024,11 +297026,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /var/tmp Located On Separate Partition @@ -297042,11 +297044,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. @@ -297057,14 +297059,14 @@ which the system will be deployed as closely as possible. - + - + Ensure Log Files Are Owned By Appropriate Group @@ -297075,10 +297077,10 @@ which the system will be deployed as closely as possible. - + - + Ensure Log Files Are Owned By Appropriate User @@ -297089,10 +297091,10 @@ which the system will be deployed as closely as possible. - + - + Ensure System Log Files Have Correct Permissions @@ -297103,10 +297105,10 @@ which the system will be deployed as closely as possible. - + - + Disable the abrt_anon_write SELinux Boolean @@ -297115,11 +297117,11 @@ which the system will be deployed as closely as possible.The SELinux 'abrt_anon_write' boolean should be set in the system configuration. - + - + Disable the abrt_handle_event SELinux Boolean @@ -297128,11 +297130,11 @@ which the system will be deployed as closely as possible.The SELinux 'abrt_handle_event' boolean should be set in the system configuration. - + - + Disable the abrt_upload_watch_anon_write SELinux Boolean @@ -297141,11 +297143,11 @@ which the system will be deployed as closely as possible.The SELinux 'abrt_upload_watch_anon_write' boolean should be set in the system configuration. - + - + Enable the antivirus_can_scan_system SELinux Boolean @@ -297154,11 +297156,11 @@ which the system will be deployed as closely as possible.The SELinux 'antivirus_can_scan_system' boolean should be set in the system configuration. - + - + Disable the antivirus_use_jit SELinux Boolean @@ -297167,11 +297169,11 @@ which the system will be deployed as closely as possible.The SELinux 'antivirus_use_jit' boolean should be set in the system configuration. - + - + Enable the auditadm_exec_content SELinux Boolean @@ -297181,11 +297183,11 @@ which the system will be deployed as closely as possible. - + - + Disable the authlogin_nsswitch_use_ldap SELinux Boolean @@ -297195,11 +297197,11 @@ which the system will be deployed as closely as possible. - + - + Disable the authlogin_radius SELinux Boolean @@ -297209,11 +297211,11 @@ which the system will be deployed as closely as possible. - + - + Disable the authlogin_yubikey SELinux Boolean @@ -297222,11 +297224,11 @@ which the system will be deployed as closely as possible.The SELinux 'authlogin_yubikey' boolean should be set in the system configuration. - + - + Disable the awstats_purge_apache_log_files SELinux Boolean @@ -297235,11 +297237,11 @@ which the system will be deployed as closely as possible.The SELinux 'awstats_purge_apache_log_files' boolean should be set in the system configuration. - + - + Disable the boinc_execmem SELinux Boolean @@ -297249,11 +297251,11 @@ which the system will be deployed as closely as possible. - + - + Disable the cdrecord_read_content SELinux Boolean @@ -297262,11 +297264,11 @@ which the system will be deployed as closely as possible.The SELinux 'cdrecord_read_content' boolean should be set in the system configuration. - + - + Disable the cluster_can_network_connect SELinux Boolean @@ -297275,11 +297277,11 @@ which the system will be deployed as closely as possible.The SELinux 'cluster_can_network_connect' boolean should be set in the system configuration. - + - + Disable the cluster_manage_all_files SELinux Boolean @@ -297288,11 +297290,11 @@ which the system will be deployed as closely as possible.The SELinux 'cluster_manage_all_files' boolean should be set in the system configuration. - + - + Disable the cluster_use_execmem SELinux Boolean @@ -297302,11 +297304,11 @@ which the system will be deployed as closely as possible. - + - + Disable the cobbler_anon_write SELinux Boolean @@ -297315,11 +297317,11 @@ which the system will be deployed as closely as possible.The SELinux 'cobbler_anon_write' boolean should be set in the system configuration. - + - + Disable the cobbler_can_network_connect SELinux Boolean @@ -297328,11 +297330,11 @@ which the system will be deployed as closely as possible.The SELinux 'cobbler_can_network_connect' boolean should be set in the system configuration. - + - + Disable the cobbler_use_cifs SELinux Boolean @@ -297341,11 +297343,11 @@ which the system will be deployed as closely as possible.The SELinux 'cobbler_use_cifs' boolean should be set in the system configuration. - + - + Disable the cobbler_use_nfs SELinux Boolean @@ -297354,11 +297356,11 @@ which the system will be deployed as closely as possible.The SELinux 'cobbler_use_nfs' boolean should be set in the system configuration. - + - + Disable the collectd_tcp_network_connect SELinux Boolean @@ -297367,11 +297369,11 @@ which the system will be deployed as closely as possible.The SELinux 'collectd_tcp_network_connect' boolean should be set in the system configuration. - + - + Disable the condor_tcp_network_connect SELinux Boolean @@ -297380,11 +297382,11 @@ which the system will be deployed as closely as possible.The SELinux 'condor_tcp_network_connect' boolean should be set in the system configuration. - + - + Disable the conman_can_network SELinux Boolean @@ -297393,11 +297395,11 @@ which the system will be deployed as closely as possible.The SELinux 'conman_can_network' boolean should be set in the system configuration. - + - + Disable the container_connect_any SELinux Boolean @@ -297406,11 +297408,11 @@ which the system will be deployed as closely as possible.The SELinux 'container_connect_any' boolean should be set in the system configuration. - + - + Disable the cron_can_relabel SELinux Boolean @@ -297419,11 +297421,11 @@ which the system will be deployed as closely as possible.The SELinux 'cron_can_relabel' boolean should be set in the system configuration. - + - + Disable the cron_system_cronjob_use_shares SELinux Boolean @@ -297432,11 +297434,11 @@ which the system will be deployed as closely as possible.The SELinux 'cron_system_cronjob_use_shares' boolean should be set in the system configuration. - + - + Enable the cron_userdomain_transition SELinux Boolean @@ -297445,11 +297447,11 @@ which the system will be deployed as closely as possible.The SELinux 'cron_userdomain_transition' boolean should be set in the system configuration. - + - + Disable the cups_execmem SELinux Boolean @@ -297459,11 +297461,11 @@ which the system will be deployed as closely as possible. - + - + Disable the cvs_read_shadow SELinux Boolean @@ -297472,11 +297474,11 @@ which the system will be deployed as closely as possible.The SELinux 'cvs_read_shadow' boolean should be set in the system configuration. - + - + Disable the daemons_dump_core SELinux Boolean @@ -297485,11 +297487,11 @@ which the system will be deployed as closely as possible.The SELinux 'daemons_dump_core' boolean should be set in the system configuration. - + - + Disable the daemons_enable_cluster_mode SELinux Boolean @@ -297498,11 +297500,11 @@ which the system will be deployed as closely as possible.The SELinux 'daemons_enable_cluster_mode' boolean should be set in the system configuration. - + - + Disable the daemons_use_tcp_wrapper SELinux Boolean @@ -297511,11 +297513,11 @@ which the system will be deployed as closely as possible.The SELinux 'daemons_use_tcp_wrapper' boolean should be set in the system configuration. - + - + Disable the daemons_use_tty SELinux Boolean @@ -297524,11 +297526,11 @@ which the system will be deployed as closely as possible.The SELinux 'daemons_use_tty' boolean should be set in the system configuration. - + - + Enable the dbadm_exec_content SELinux Boolean @@ -297537,11 +297539,11 @@ which the system will be deployed as closely as possible.The SELinux 'dbadm_exec_content' boolean should be set in the system configuration. - + - + Disable the dbadm_manage_user_files SELinux Boolean @@ -297550,11 +297552,11 @@ which the system will be deployed as closely as possible.The SELinux 'dbadm_manage_user_files' boolean should be set in the system configuration. - + - + Disable the dbadm_read_user_files SELinux Boolean @@ -297563,11 +297565,11 @@ which the system will be deployed as closely as possible.The SELinux 'dbadm_read_user_files' boolean should be set in the system configuration. - + - + Configure the deny_execmem SELinux Boolean @@ -297577,11 +297579,11 @@ which the system will be deployed as closely as possible. - + - + Disable the deny_ptrace SELinux Boolean @@ -297590,11 +297592,11 @@ which the system will be deployed as closely as possible.The SELinux 'deny_ptrace' boolean should be set in the system configuration. - + - + Disable the dhcpc_exec_iptables SELinux Boolean @@ -297603,11 +297605,11 @@ which the system will be deployed as closely as possible.The SELinux 'dhcpc_exec_iptables' boolean should be set in the system configuration. - + - + Disable the dhcpd_use_ldap SELinux Boolean @@ -297616,11 +297618,11 @@ which the system will be deployed as closely as possible.The SELinux 'dhcpd_use_ldap' boolean should be set in the system configuration. - + - + Enable the domain_fd_use SELinux Boolean @@ -297629,11 +297631,11 @@ which the system will be deployed as closely as possible.The SELinux 'domain_fd_use' boolean should be set in the system configuration. - + - + Disable the domain_kernel_load_modules SELinux Boolean @@ -297642,11 +297644,11 @@ which the system will be deployed as closely as possible.The SELinux 'domain_kernel_load_modules' boolean should be set in the system configuration. - + - + Disable the entropyd_use_audio SELinux Boolean @@ -297655,11 +297657,11 @@ which the system will be deployed as closely as possible.The SELinux 'entropyd_use_audio' boolean should be set in the system configuration. - + - + Disable the exim_can_connect_db SELinux Boolean @@ -297668,11 +297670,11 @@ which the system will be deployed as closely as possible.The SELinux 'exim_can_connect_db' boolean should be set in the system configuration. - + - + Disable the exim_manage_user_files SELinux Boolean @@ -297681,11 +297683,11 @@ which the system will be deployed as closely as possible.The SELinux 'exim_manage_user_files' boolean should be set in the system configuration. - + - + Disable the exim_read_user_files SELinux Boolean @@ -297694,11 +297696,11 @@ which the system will be deployed as closely as possible.The SELinux 'exim_read_user_files' boolean should be set in the system configuration. - + - + Disable the fcron_crond SELinux Boolean @@ -297707,11 +297709,11 @@ which the system will be deployed as closely as possible.The SELinux 'fcron_crond' boolean should be set in the system configuration. - + - + Disable the fenced_can_network_connect SELinux Boolean @@ -297720,11 +297722,11 @@ which the system will be deployed as closely as possible.The SELinux 'fenced_can_network_connect' boolean should be set in the system configuration. - + - + Disable the fenced_can_ssh SELinux Boolean @@ -297733,11 +297735,11 @@ which the system will be deployed as closely as possible.The SELinux 'fenced_can_ssh' boolean should be set in the system configuration. - + - + Enable the fips_mode SELinux Boolean @@ -297746,11 +297748,11 @@ which the system will be deployed as closely as possible.The SELinux 'fips_mode' boolean should be set in the system configuration. - + - + Disable the ftpd_anon_write SELinux Boolean @@ -297759,11 +297761,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_anon_write' boolean should be set in the system configuration. - + - + Disable the ftpd_connect_all_unreserved SELinux Boolean @@ -297772,11 +297774,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_connect_all_unreserved' boolean should be set in the system configuration. - + - + Disable the ftpd_connect_db SELinux Boolean @@ -297785,11 +297787,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_connect_db' boolean should be set in the system configuration. - + - + Disable the ftpd_full_access SELinux Boolean @@ -297798,11 +297800,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_full_access' boolean should be set in the system configuration. - + - + Disable the ftpd_use_cifs SELinux Boolean @@ -297811,11 +297813,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_use_cifs' boolean should be set in the system configuration. - + - + Disable the ftpd_use_fusefs SELinux Boolean @@ -297824,11 +297826,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_use_fusefs' boolean should be set in the system configuration. - + - + Disable the ftpd_use_nfs SELinux Boolean @@ -297837,11 +297839,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_use_nfs' boolean should be set in the system configuration. - + - + Disable the ftpd_use_passive_mode SELinux Boolean @@ -297850,11 +297852,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_use_passive_mode' boolean should be set in the system configuration. - + - + Disable the git_cgi_enable_homedirs SELinux Boolean @@ -297863,11 +297865,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_cgi_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the git_cgi_use_cifs SELinux Boolean @@ -297876,11 +297878,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_cgi_use_cifs' boolean should be set in the system configuration. - + - + Disable the git_cgi_use_nfs SELinux Boolean @@ -297889,11 +297891,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_cgi_use_nfs' boolean should be set in the system configuration. - + - + Disable the git_session_bind_all_unreserved_ports SELinux Boolean @@ -297902,11 +297904,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_session_bind_all_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the git_session_users SELinux Boolean @@ -297915,11 +297917,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_session_users' boolean should be set in the system configuration. - + - + Disable the git_system_enable_homedirs SELinux Boolean @@ -297928,11 +297930,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_system_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the git_system_use_cifs SELinux Boolean @@ -297941,11 +297943,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_system_use_cifs' boolean should be set in the system configuration. - + - + Disable the git_system_use_nfs SELinux Boolean @@ -297954,11 +297956,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_system_use_nfs' boolean should be set in the system configuration. - + - + Disable the gitosis_can_sendmail SELinux Boolean @@ -297967,11 +297969,11 @@ which the system will be deployed as closely as possible.The SELinux 'gitosis_can_sendmail' boolean should be set in the system configuration. - + - + Disable the glance_api_can_network SELinux Boolean @@ -297980,11 +297982,11 @@ which the system will be deployed as closely as possible.The SELinux 'glance_api_can_network' boolean should be set in the system configuration. - + - + Disable the glance_use_execmem SELinux Boolean @@ -297994,11 +297996,11 @@ which the system will be deployed as closely as possible. - + - + Disable the glance_use_fusefs SELinux Boolean @@ -298007,11 +298009,11 @@ which the system will be deployed as closely as possible.The SELinux 'glance_use_fusefs' boolean should be set in the system configuration. - + - + Disable the global_ssp SELinux Boolean @@ -298020,11 +298022,11 @@ which the system will be deployed as closely as possible.The SELinux 'global_ssp' boolean should be set in the system configuration. - + - + Disable the gluster_anon_write SELinux Boolean @@ -298033,11 +298035,11 @@ which the system will be deployed as closely as possible.The SELinux 'gluster_anon_write' boolean should be set in the system configuration. - + - + Disable the gluster_export_all_ro SELinux Boolean @@ -298046,11 +298048,11 @@ which the system will be deployed as closely as possible.The SELinux 'gluster_export_all_ro' boolean should be set in the system configuration. - + - + Configure the gluster_export_all_rw SELinux Boolean @@ -298059,11 +298061,11 @@ which the system will be deployed as closely as possible.The SELinux 'gluster_export_all_rw' boolean should be set in the system configuration. - + - + Disable the gpg_web_anon_write SELinux Boolean @@ -298072,11 +298074,11 @@ which the system will be deployed as closely as possible.The SELinux 'gpg_web_anon_write' boolean should be set in the system configuration. - + - + Enable the gssd_read_tmp SELinux Boolean @@ -298085,11 +298087,11 @@ which the system will be deployed as closely as possible.The SELinux 'gssd_read_tmp' boolean should be set in the system configuration. - + - + Disable the guest_exec_content SELinux Boolean @@ -298098,11 +298100,11 @@ which the system will be deployed as closely as possible.The SELinux 'guest_exec_content' boolean should be set in the system configuration. - + - + Disable the haproxy_connect_any SELinux Boolean @@ -298111,11 +298113,11 @@ which the system will be deployed as closely as possible.The SELinux 'haproxy_connect_any' boolean should be set in the system configuration. - + - + Disable the httpd_anon_write SELinux Boolean @@ -298124,11 +298126,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_anon_write' boolean should be set in the system configuration. - + - + Configure the httpd_builtin_scripting SELinux Boolean @@ -298137,11 +298139,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_builtin_scripting' boolean should be set in the system configuration. - + - + Disable the httpd_can_check_spam SELinux Boolean @@ -298150,11 +298152,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_check_spam' boolean should be set in the system configuration. - + - + Disable the httpd_can_connect_ftp SELinux Boolean @@ -298163,11 +298165,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_connect_ftp' boolean should be set in the system configuration. - + - + Disable the httpd_can_connect_ldap SELinux Boolean @@ -298176,11 +298178,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_connect_ldap' boolean should be set in the system configuration. - + - + Disable the httpd_can_connect_mythtv SELinux Boolean @@ -298189,11 +298191,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_connect_mythtv' boolean should be set in the system configuration. - + - + Disable the httpd_can_connect_zabbix SELinux Boolean @@ -298202,11 +298204,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_connect_zabbix' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_connect SELinux Boolean @@ -298215,11 +298217,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_connect' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_connect_cobbler SELinux Boolean @@ -298228,11 +298230,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_connect_cobbler' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_connect_db SELinux Boolean @@ -298241,11 +298243,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_connect_db' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_memcache SELinux Boolean @@ -298254,11 +298256,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_memcache' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_relay SELinux Boolean @@ -298267,11 +298269,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_relay' boolean should be set in the system configuration. - + - + Disable the httpd_can_sendmail SELinux Boolean @@ -298280,11 +298282,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_sendmail' boolean should be set in the system configuration. - + - + Disable the httpd_dbus_avahi SELinux Boolean @@ -298293,11 +298295,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_dbus_avahi' boolean should be set in the system configuration. - + - + Disable the httpd_dbus_sssd SELinux Boolean @@ -298306,11 +298308,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_dbus_sssd' boolean should be set in the system configuration. - + - + Disable the httpd_dontaudit_search_dirs SELinux Boolean @@ -298319,11 +298321,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_dontaudit_search_dirs' boolean should be set in the system configuration. - + - + Configure the httpd_enable_cgi SELinux Boolean @@ -298332,11 +298334,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_enable_cgi' boolean should be set in the system configuration. - + - + Disable the httpd_enable_ftp_server SELinux Boolean @@ -298345,11 +298347,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_enable_ftp_server' boolean should be set in the system configuration. - + - + Disable the httpd_enable_homedirs SELinux Boolean @@ -298358,11 +298360,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the httpd_execmem SELinux Boolean @@ -298372,11 +298374,11 @@ which the system will be deployed as closely as possible. - + - + Enable the httpd_graceful_shutdown SELinux Boolean @@ -298385,11 +298387,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_graceful_shutdown' boolean should be set in the system configuration. - + - + Disable the httpd_manage_ipa SELinux Boolean @@ -298398,11 +298400,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_manage_ipa' boolean should be set in the system configuration. - + - + Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean @@ -298411,11 +298413,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_mod_auth_ntlm_winbind' boolean should be set in the system configuration. - + - + Disable the httpd_mod_auth_pam SELinux Boolean @@ -298424,11 +298426,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_mod_auth_pam' boolean should be set in the system configuration. - + - + Disable the httpd_read_user_content SELinux Boolean @@ -298437,11 +298439,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_read_user_content' boolean should be set in the system configuration. - + - + Disable the httpd_run_ipa SELinux Boolean @@ -298450,11 +298452,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_run_ipa' boolean should be set in the system configuration. - + - + Disable the httpd_run_preupgrade SELinux Boolean @@ -298463,11 +298465,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_run_preupgrade' boolean should be set in the system configuration. - + - + Disable the httpd_run_stickshift SELinux Boolean @@ -298476,11 +298478,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_run_stickshift' boolean should be set in the system configuration. - + - + Disable the httpd_serve_cobbler_files SELinux Boolean @@ -298489,11 +298491,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_serve_cobbler_files' boolean should be set in the system configuration. - + - + Disable the httpd_setrlimit SELinux Boolean @@ -298502,11 +298504,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_setrlimit' boolean should be set in the system configuration. - + - + Disable the httpd_ssi_exec SELinux Boolean @@ -298515,11 +298517,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_ssi_exec' boolean should be set in the system configuration. - + - + Disable the httpd_sys_script_anon_write SELinux Boolean @@ -298528,11 +298530,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_sys_script_anon_write' boolean should be set in the system configuration. - + - + Disable the httpd_tmp_exec SELinux Boolean @@ -298541,11 +298543,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_tmp_exec' boolean should be set in the system configuration. - + - + Disable the httpd_tty_comm SELinux Boolean @@ -298554,11 +298556,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_tty_comm' boolean should be set in the system configuration. - + - + Disable the httpd_unified SELinux Boolean @@ -298567,11 +298569,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_unified' boolean should be set in the system configuration. - + - + Disable the httpd_use_cifs SELinux Boolean @@ -298580,11 +298582,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_cifs' boolean should be set in the system configuration. - + - + Disable the httpd_use_fusefs SELinux Boolean @@ -298593,11 +298595,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_fusefs' boolean should be set in the system configuration. - + - + Disable the httpd_use_gpg SELinux Boolean @@ -298606,11 +298608,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_gpg' boolean should be set in the system configuration. - + - + Disable the httpd_use_nfs SELinux Boolean @@ -298619,11 +298621,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_nfs' boolean should be set in the system configuration. - + - + Disable the httpd_use_openstack SELinux Boolean @@ -298632,11 +298634,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_openstack' boolean should be set in the system configuration. - + - + Disable the httpd_use_sasl SELinux Boolean @@ -298645,11 +298647,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_sasl' boolean should be set in the system configuration. - + - + Disable the httpd_verify_dns SELinux Boolean @@ -298658,11 +298660,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_verify_dns' boolean should be set in the system configuration. - + - + Disable the icecast_use_any_tcp_ports SELinux Boolean @@ -298671,11 +298673,11 @@ which the system will be deployed as closely as possible.The SELinux 'icecast_use_any_tcp_ports' boolean should be set in the system configuration. - + - + Disable the irc_use_any_tcp_ports SELinux Boolean @@ -298684,11 +298686,11 @@ which the system will be deployed as closely as possible.The SELinux 'irc_use_any_tcp_ports' boolean should be set in the system configuration. - + - + Disable the irssi_use_full_network SELinux Boolean @@ -298697,11 +298699,11 @@ which the system will be deployed as closely as possible.The SELinux 'irssi_use_full_network' boolean should be set in the system configuration. - + - + Disable the kdumpgui_run_bootloader SELinux Boolean @@ -298710,11 +298712,11 @@ which the system will be deployed as closely as possible.The SELinux 'kdumpgui_run_bootloader' boolean should be set in the system configuration. - + - + Enable the kerberos_enabled SELinux Boolean @@ -298724,11 +298726,11 @@ which the system will be deployed as closely as possible. - + - + Disable the ksmtuned_use_cifs SELinux Boolean @@ -298737,11 +298739,11 @@ which the system will be deployed as closely as possible.The SELinux 'ksmtuned_use_cifs' boolean should be set in the system configuration. - + - + Disable the ksmtuned_use_nfs SELinux Boolean @@ -298750,11 +298752,11 @@ which the system will be deployed as closely as possible.The SELinux 'ksmtuned_use_nfs' boolean should be set in the system configuration. - + - + Enable the logadm_exec_content SELinux Boolean @@ -298763,11 +298765,11 @@ which the system will be deployed as closely as possible.The SELinux 'logadm_exec_content' boolean should be set in the system configuration. - + - + Disable the logging_syslogd_can_sendmail SELinux Boolean @@ -298776,11 +298778,11 @@ which the system will be deployed as closely as possible.The SELinux 'logging_syslogd_can_sendmail' boolean should be set in the system configuration. - + - + Disable the logging_syslogd_run_nagios_plugins SELinux Boolean @@ -298789,11 +298791,11 @@ which the system will be deployed as closely as possible.The SELinux 'logging_syslogd_run_nagios_plugins' boolean should be set in the system configuration. - + - + Enable the logging_syslogd_use_tty SELinux Boolean @@ -298802,11 +298804,11 @@ which the system will be deployed as closely as possible.The SELinux 'logging_syslogd_use_tty' boolean should be set in the system configuration. - + - + Enable the login_console_enabled SELinux Boolean @@ -298815,11 +298817,11 @@ which the system will be deployed as closely as possible.The SELinux 'login_console_enabled' boolean should be set in the system configuration. - + - + Disable the logrotate_use_nfs SELinux Boolean @@ -298828,11 +298830,11 @@ which the system will be deployed as closely as possible.The SELinux 'logrotate_use_nfs' boolean should be set in the system configuration. - + - + Disable the logwatch_can_network_connect_mail SELinux Boolean @@ -298841,11 +298843,11 @@ which the system will be deployed as closely as possible.The SELinux 'logwatch_can_network_connect_mail' boolean should be set in the system configuration. - + - + Disable the lsmd_plugin_connect_any SELinux Boolean @@ -298854,11 +298856,11 @@ which the system will be deployed as closely as possible.The SELinux 'lsmd_plugin_connect_any' boolean should be set in the system configuration. - + - + Disable the mailman_use_fusefs SELinux Boolean @@ -298867,11 +298869,11 @@ which the system will be deployed as closely as possible.The SELinux 'mailman_use_fusefs' boolean should be set in the system configuration. - + - + Disable the mcelog_client SELinux Boolean @@ -298880,11 +298882,11 @@ which the system will be deployed as closely as possible.The SELinux 'mcelog_client' boolean should be set in the system configuration. - + - + Enable the mcelog_exec_scripts SELinux Boolean @@ -298893,11 +298895,11 @@ which the system will be deployed as closely as possible.The SELinux 'mcelog_exec_scripts' boolean should be set in the system configuration. - + - + Disable the mcelog_foreground SELinux Boolean @@ -298906,11 +298908,11 @@ which the system will be deployed as closely as possible.The SELinux 'mcelog_foreground' boolean should be set in the system configuration. - + - + Disable the mcelog_server SELinux Boolean @@ -298919,11 +298921,11 @@ which the system will be deployed as closely as possible.The SELinux 'mcelog_server' boolean should be set in the system configuration. - + - + Disable the minidlna_read_generic_user_content SELinux Boolean @@ -298932,11 +298934,11 @@ which the system will be deployed as closely as possible.The SELinux 'minidlna_read_generic_user_content' boolean should be set in the system configuration. - + - + Disable the mmap_low_allowed SELinux Boolean @@ -298945,11 +298947,11 @@ which the system will be deployed as closely as possible.The SELinux 'mmap_low_allowed' boolean should be set in the system configuration. - + - + Disable the mock_enable_homedirs SELinux Boolean @@ -298958,11 +298960,11 @@ which the system will be deployed as closely as possible.The SELinux 'mock_enable_homedirs' boolean should be set in the system configuration. - + - + Enable the mount_anyfile SELinux Boolean @@ -298971,11 +298973,11 @@ which the system will be deployed as closely as possible.The SELinux 'mount_anyfile' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean @@ -298984,11 +298986,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_bind_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_can_network_connect SELinux Boolean @@ -298997,11 +298999,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_can_network_connect' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_use_bluejeans SELinux Boolean @@ -299010,11 +299012,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_use_bluejeans' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_use_gps SELinux Boolean @@ -299023,11 +299025,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_use_gps' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_use_spice SELinux Boolean @@ -299036,11 +299038,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_use_spice' boolean should be set in the system configuration. - + - + Disable the mozilla_read_content SELinux Boolean @@ -299049,11 +299051,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_read_content' boolean should be set in the system configuration. - + - + Disable the mpd_enable_homedirs SELinux Boolean @@ -299062,11 +299064,11 @@ which the system will be deployed as closely as possible.The SELinux 'mpd_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the mpd_use_cifs SELinux Boolean @@ -299075,11 +299077,11 @@ which the system will be deployed as closely as possible.The SELinux 'mpd_use_cifs' boolean should be set in the system configuration. - + - + Disable the mpd_use_nfs SELinux Boolean @@ -299088,11 +299090,11 @@ which the system will be deployed as closely as possible.The SELinux 'mpd_use_nfs' boolean should be set in the system configuration. - + - + Disable the mplayer_execstack SELinux Boolean @@ -299101,11 +299103,11 @@ which the system will be deployed as closely as possible.The SELinux 'mplayer_execstack' boolean should be set in the system configuration. - + - + Disable the mysql_connect_any SELinux Boolean @@ -299114,11 +299116,11 @@ which the system will be deployed as closely as possible.The SELinux 'mysql_connect_any' boolean should be set in the system configuration. - + - + Disable the nagios_run_pnp4nagios SELinux Boolean @@ -299127,11 +299129,11 @@ which the system will be deployed as closely as possible.The SELinux 'nagios_run_pnp4nagios' boolean should be set in the system configuration. - + - + Disable the nagios_run_sudo SELinux Boolean @@ -299140,11 +299142,11 @@ which the system will be deployed as closely as possible.The SELinux 'nagios_run_sudo' boolean should be set in the system configuration. - + - + Disable the named_tcp_bind_http_port SELinux Boolean @@ -299153,11 +299155,11 @@ which the system will be deployed as closely as possible.The SELinux 'named_tcp_bind_http_port' boolean should be set in the system configuration. - + - + Disable the named_write_master_zones SELinux Boolean @@ -299166,11 +299168,11 @@ which the system will be deployed as closely as possible.The SELinux 'named_write_master_zones' boolean should be set in the system configuration. - + - + Disable the neutron_can_network SELinux Boolean @@ -299179,11 +299181,11 @@ which the system will be deployed as closely as possible.The SELinux 'neutron_can_network' boolean should be set in the system configuration. - + - + Enable the nfs_export_all_ro SELinux Boolean @@ -299192,11 +299194,11 @@ which the system will be deployed as closely as possible.The SELinux 'nfs_export_all_ro' boolean should be set in the system configuration. - + - + Enable the nfs_export_all_rw SELinux Boolean @@ -299205,11 +299207,11 @@ which the system will be deployed as closely as possible.The SELinux 'nfs_export_all_rw' boolean should be set in the system configuration. - + - + Disable the nfsd_anon_write SELinux Boolean @@ -299218,11 +299220,11 @@ which the system will be deployed as closely as possible.The SELinux 'nfsd_anon_write' boolean should be set in the system configuration. - + - + Disable the nis_enabled SELinux Boolean @@ -299231,11 +299233,11 @@ which the system will be deployed as closely as possible.The SELinux 'nis_enabled' boolean should be set in the system configuration. - + - + Enable the nscd_use_shm SELinux Boolean @@ -299244,11 +299246,11 @@ which the system will be deployed as closely as possible.The SELinux 'nscd_use_shm' boolean should be set in the system configuration. - + - + Disable the openshift_use_nfs SELinux Boolean @@ -299257,11 +299259,11 @@ which the system will be deployed as closely as possible.The SELinux 'openshift_use_nfs' boolean should be set in the system configuration. - + - + Disable the openvpn_can_network_connect SELinux Boolean @@ -299270,11 +299272,11 @@ which the system will be deployed as closely as possible.The SELinux 'openvpn_can_network_connect' boolean should be set in the system configuration. - + - + Disable the openvpn_enable_homedirs SELinux Boolean @@ -299283,11 +299285,11 @@ which the system will be deployed as closely as possible.The SELinux 'openvpn_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the openvpn_run_unconfined SELinux Boolean @@ -299296,11 +299298,11 @@ which the system will be deployed as closely as possible.The SELinux 'openvpn_run_unconfined' boolean should be set in the system configuration. - + - + Disable the pcp_bind_all_unreserved_ports SELinux Boolean @@ -299309,11 +299311,11 @@ which the system will be deployed as closely as possible.The SELinux 'pcp_bind_all_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the pcp_read_generic_logs SELinux Boolean @@ -299322,11 +299324,11 @@ which the system will be deployed as closely as possible.The SELinux 'pcp_read_generic_logs' boolean should be set in the system configuration. - + - + Disable the piranha_lvs_can_network_connect SELinux Boolean @@ -299335,11 +299337,11 @@ which the system will be deployed as closely as possible.The SELinux 'piranha_lvs_can_network_connect' boolean should be set in the system configuration. - + - + Disable the polipo_connect_all_unreserved SELinux Boolean @@ -299348,11 +299350,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_connect_all_unreserved' boolean should be set in the system configuration. - + - + Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean @@ -299361,11 +299363,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_session_bind_all_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the polipo_session_users SELinux Boolean @@ -299374,11 +299376,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_session_users' boolean should be set in the system configuration. - + - + Disable the polipo_use_cifs SELinux Boolean @@ -299387,11 +299389,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_use_cifs' boolean should be set in the system configuration. - + - + Disable the polipo_use_nfs SELinux Boolean @@ -299400,11 +299402,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_use_nfs' boolean should be set in the system configuration. - + - + Configure the polyinstantiation_enabled SELinux Boolean @@ -299414,11 +299416,11 @@ which the system will be deployed as closely as possible. - + - + Enable the postfix_local_write_mail_spool SELinux Boolean @@ -299427,11 +299429,11 @@ which the system will be deployed as closely as possible.The SELinux 'postfix_local_write_mail_spool' boolean should be set in the system configuration. - + - + Disable the postgresql_can_rsync SELinux Boolean @@ -299440,11 +299442,11 @@ which the system will be deployed as closely as possible.The SELinux 'postgresql_can_rsync' boolean should be set in the system configuration. - + - + Disable the postgresql_selinux_transmit_client_label SELinux Boolean @@ -299453,11 +299455,11 @@ which the system will be deployed as closely as possible.The SELinux 'postgresql_selinux_transmit_client_label' boolean should be set in the system configuration. - + - + Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean @@ -299466,11 +299468,11 @@ which the system will be deployed as closely as possible.The SELinux 'postgresql_selinux_unconfined_dbadm' boolean should be set in the system configuration. - + - + Enable the postgresql_selinux_users_ddl SELinux Boolean @@ -299479,11 +299481,11 @@ which the system will be deployed as closely as possible.The SELinux 'postgresql_selinux_users_ddl' boolean should be set in the system configuration. - + - + Disable the pppd_can_insmod SELinux Boolean @@ -299492,11 +299494,11 @@ which the system will be deployed as closely as possible.The SELinux 'pppd_can_insmod' boolean should be set in the system configuration. - + - + Disable the pppd_for_user SELinux Boolean @@ -299505,11 +299507,11 @@ which the system will be deployed as closely as possible.The SELinux 'pppd_for_user' boolean should be set in the system configuration. - + - + Disable the privoxy_connect_any SELinux Boolean @@ -299518,11 +299520,11 @@ which the system will be deployed as closely as possible.The SELinux 'privoxy_connect_any' boolean should be set in the system configuration. - + - + Disable the prosody_bind_http_port SELinux Boolean @@ -299531,11 +299533,11 @@ which the system will be deployed as closely as possible.The SELinux 'prosody_bind_http_port' boolean should be set in the system configuration. - + - + Disable the puppetagent_manage_all_files SELinux Boolean @@ -299544,11 +299546,11 @@ which the system will be deployed as closely as possible.The SELinux 'puppetagent_manage_all_files' boolean should be set in the system configuration. - + - + Disable the puppetmaster_use_db SELinux Boolean @@ -299557,11 +299559,11 @@ which the system will be deployed as closely as possible.The SELinux 'puppetmaster_use_db' boolean should be set in the system configuration. - + - + Disable the racoon_read_shadow SELinux Boolean @@ -299570,11 +299572,11 @@ which the system will be deployed as closely as possible.The SELinux 'racoon_read_shadow' boolean should be set in the system configuration. - + - + Disable the rsync_anon_write SELinux Boolean @@ -299583,11 +299585,11 @@ which the system will be deployed as closely as possible.The SELinux 'rsync_anon_write' boolean should be set in the system configuration. - + - + Disable the rsync_client SELinux Boolean @@ -299596,11 +299598,11 @@ which the system will be deployed as closely as possible.The SELinux 'rsync_client' boolean should be set in the system configuration. - + - + Disable the rsync_export_all_ro SELinux Boolean @@ -299609,11 +299611,11 @@ which the system will be deployed as closely as possible.The SELinux 'rsync_export_all_ro' boolean should be set in the system configuration. - + - + Disable the rsync_full_access SELinux Boolean @@ -299622,11 +299624,11 @@ which the system will be deployed as closely as possible.The SELinux 'rsync_full_access' boolean should be set in the system configuration. - + - + Disable the samba_create_home_dirs SELinux Boolean @@ -299635,11 +299637,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_create_home_dirs' boolean should be set in the system configuration. - + - + Disable the samba_domain_controller SELinux Boolean @@ -299648,11 +299650,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_domain_controller' boolean should be set in the system configuration. - + - + Disable the samba_enable_home_dirs SELinux Boolean @@ -299661,11 +299663,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_enable_home_dirs' boolean should be set in the system configuration. - + - + Disable the samba_export_all_ro SELinux Boolean @@ -299674,11 +299676,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_export_all_ro' boolean should be set in the system configuration. - + - + Disable the samba_export_all_rw SELinux Boolean @@ -299687,11 +299689,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_export_all_rw' boolean should be set in the system configuration. - + - + Disable the samba_load_libgfapi SELinux Boolean @@ -299700,11 +299702,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_load_libgfapi' boolean should be set in the system configuration. - + - + Disable the samba_portmapper SELinux Boolean @@ -299713,11 +299715,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_portmapper' boolean should be set in the system configuration. - + - + Disable the samba_run_unconfined SELinux Boolean @@ -299726,11 +299728,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_run_unconfined' boolean should be set in the system configuration. - + - + Disable the samba_share_fusefs SELinux Boolean @@ -299739,11 +299741,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_share_fusefs' boolean should be set in the system configuration. - + - + Disable the samba_share_nfs SELinux Boolean @@ -299752,11 +299754,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_share_nfs' boolean should be set in the system configuration. - + - + Disable the sanlock_use_fusefs SELinux Boolean @@ -299765,11 +299767,11 @@ which the system will be deployed as closely as possible.The SELinux 'sanlock_use_fusefs' boolean should be set in the system configuration. - + - + Disable the sanlock_use_nfs SELinux Boolean @@ -299778,11 +299780,11 @@ which the system will be deployed as closely as possible.The SELinux 'sanlock_use_nfs' boolean should be set in the system configuration. - + - + Disable the sanlock_use_samba SELinux Boolean @@ -299791,11 +299793,11 @@ which the system will be deployed as closely as possible.The SELinux 'sanlock_use_samba' boolean should be set in the system configuration. - + - + Disable the saslauthd_read_shadow SELinux Boolean @@ -299804,11 +299806,11 @@ which the system will be deployed as closely as possible.The SELinux 'saslauthd_read_shadow' boolean should be set in the system configuration. - + - + Enable the secadm_exec_content SELinux Boolean @@ -299817,11 +299819,11 @@ which the system will be deployed as closely as possible.The SELinux 'secadm_exec_content' boolean should be set in the system configuration. - + - + Disable the secure_mode SELinux Boolean @@ -299830,11 +299832,11 @@ which the system will be deployed as closely as possible.The SELinux 'secure_mode' boolean should be set in the system configuration. - + - + Configure the secure_mode_insmod SELinux Boolean @@ -299844,11 +299846,11 @@ which the system will be deployed as closely as possible. - + - + Disable the secure_mode_policyload SELinux Boolean @@ -299857,11 +299859,11 @@ which the system will be deployed as closely as possible.The SELinux 'secure_mode_policyload' boolean should be set in the system configuration. - + - + Configure the selinuxuser_direct_dri_enabled SELinux Boolean @@ -299870,11 +299872,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_direct_dri_enabled' boolean should be set in the system configuration. - + - + Disable the selinuxuser_execheap SELinux Boolean @@ -299884,11 +299886,11 @@ which the system will be deployed as closely as possible. - + - + Enable the selinuxuser_execmod SELinux Boolean @@ -299898,11 +299900,11 @@ which the system will be deployed as closely as possible. - + - + Disable the selinuxuser_execstack SELinux Boolean @@ -299912,11 +299914,11 @@ which the system will be deployed as closely as possible. - + - + Disable the selinuxuser_mysql_connect_enabled SELinux Boolean @@ -299925,11 +299927,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_mysql_connect_enabled' boolean should be set in the system configuration. - + - + Enable the selinuxuser_ping SELinux Boolean @@ -299938,11 +299940,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_ping' boolean should be set in the system configuration. - + - + Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean @@ -299951,11 +299953,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_postgresql_connect_enabled' boolean should be set in the system configuration. - + - + Disable the selinuxuser_rw_noexattrfile SELinux Boolean @@ -299964,11 +299966,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_rw_noexattrfile' boolean should be set in the system configuration. - + - + Disable the selinuxuser_share_music SELinux Boolean @@ -299977,11 +299979,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_share_music' boolean should be set in the system configuration. - + - + Disable the selinuxuser_tcp_server SELinux Boolean @@ -299990,11 +299992,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_tcp_server' boolean should be set in the system configuration. - + - + Disable the selinuxuser_udp_server SELinux Boolean @@ -300003,11 +300005,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_udp_server' boolean should be set in the system configuration. - + - + Disable the selinuxuser_use_ssh_chroot SELinux Boolean @@ -300016,11 +300018,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_use_ssh_chroot' boolean should be set in the system configuration. - + - + Disable the sge_domain_can_network_connect SELinux Boolean @@ -300029,11 +300031,11 @@ which the system will be deployed as closely as possible.The SELinux 'sge_domain_can_network_connect' boolean should be set in the system configuration. - + - + Disable the sge_use_nfs SELinux Boolean @@ -300042,11 +300044,11 @@ which the system will be deployed as closely as possible.The SELinux 'sge_use_nfs' boolean should be set in the system configuration. - + - + Disable the smartmon_3ware SELinux Boolean @@ -300055,11 +300057,11 @@ which the system will be deployed as closely as possible.The SELinux 'smartmon_3ware' boolean should be set in the system configuration. - + - + Disable the smbd_anon_write SELinux Boolean @@ -300068,11 +300070,11 @@ which the system will be deployed as closely as possible.The SELinux 'smbd_anon_write' boolean should be set in the system configuration. - + - + Disable the spamassassin_can_network SELinux Boolean @@ -300081,11 +300083,11 @@ which the system will be deployed as closely as possible.The SELinux 'spamassassin_can_network' boolean should be set in the system configuration. - + - + Enable the spamd_enable_home_dirs SELinux Boolean @@ -300094,11 +300096,11 @@ which the system will be deployed as closely as possible.The SELinux 'spamd_enable_home_dirs' boolean should be set in the system configuration. - + - + Disable the squid_connect_any SELinux Boolean @@ -300107,11 +300109,11 @@ which the system will be deployed as closely as possible.The SELinux 'squid_connect_any' boolean should be set in the system configuration. - + - + Disable the squid_use_tproxy SELinux Boolean @@ -300120,11 +300122,11 @@ which the system will be deployed as closely as possible.The SELinux 'squid_use_tproxy' boolean should be set in the system configuration. - + - + Disable the ssh_chroot_rw_homedirs SELinux Boolean @@ -300133,11 +300135,11 @@ which the system will be deployed as closely as possible.The SELinux 'ssh_chroot_rw_homedirs' boolean should be set in the system configuration. - + - + Disable the ssh_keysign SELinux Boolean @@ -300146,11 +300148,11 @@ which the system will be deployed as closely as possible.The SELinux 'ssh_keysign' boolean should be set in the system configuration. - + - + Disable the ssh_sysadm_login SELinux Boolean @@ -300160,11 +300162,11 @@ which the system will be deployed as closely as possible. - + - + Enable the staff_exec_content SELinux Boolean @@ -300173,11 +300175,11 @@ which the system will be deployed as closely as possible.The SELinux 'staff_exec_content' boolean should be set in the system configuration. - + - + Disable the staff_use_svirt SELinux Boolean @@ -300186,11 +300188,11 @@ which the system will be deployed as closely as possible.The SELinux 'staff_use_svirt' boolean should be set in the system configuration. - + - + Disable the swift_can_network SELinux Boolean @@ -300199,11 +300201,11 @@ which the system will be deployed as closely as possible.The SELinux 'swift_can_network' boolean should be set in the system configuration. - + - + Enable the sysadm_exec_content SELinux Boolean @@ -300212,11 +300214,11 @@ which the system will be deployed as closely as possible.The SELinux 'sysadm_exec_content' boolean should be set in the system configuration. - + - + Disable the telepathy_connect_all_ports SELinux Boolean @@ -300225,11 +300227,11 @@ which the system will be deployed as closely as possible.The SELinux 'telepathy_connect_all_ports' boolean should be set in the system configuration. - + - + Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean @@ -300238,11 +300240,11 @@ which the system will be deployed as closely as possible.The SELinux 'telepathy_tcp_connect_generic_network_ports' boolean should be set in the system configuration. - + - + Disable the tftp_anon_write SELinux Boolean @@ -300251,11 +300253,11 @@ which the system will be deployed as closely as possible.The SELinux 'tftp_anon_write' boolean should be set in the system configuration. - + - + Disable the tftp_home_dir SELinux Boolean @@ -300264,11 +300266,11 @@ which the system will be deployed as closely as possible.The SELinux 'tftp_home_dir' boolean should be set in the system configuration. - + - + Disable the tmpreaper_use_nfs SELinux Boolean @@ -300277,11 +300279,11 @@ which the system will be deployed as closely as possible.The SELinux 'tmpreaper_use_nfs' boolean should be set in the system configuration. - + - + Disable the tmpreaper_use_samba SELinux Boolean @@ -300290,11 +300292,11 @@ which the system will be deployed as closely as possible.The SELinux 'tmpreaper_use_samba' boolean should be set in the system configuration. - + - + Disable the tor_bind_all_unreserved_ports SELinux Boolean @@ -300303,11 +300305,11 @@ which the system will be deployed as closely as possible.The SELinux 'tor_bind_all_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the tor_can_network_relay SELinux Boolean @@ -300316,11 +300318,11 @@ which the system will be deployed as closely as possible.The SELinux 'tor_can_network_relay' boolean should be set in the system configuration. - + - + Enable the unconfined_chrome_sandbox_transition SELinux Boolean @@ -300329,11 +300331,11 @@ which the system will be deployed as closely as possible.The SELinux 'unconfined_chrome_sandbox_transition' boolean should be set in the system configuration. - + - + Enable the unconfined_login SELinux Boolean @@ -300342,11 +300344,11 @@ which the system will be deployed as closely as possible.The SELinux 'unconfined_login' boolean should be set in the system configuration. - + - + Enable the unconfined_mozilla_plugin_transition SELinux Boolean @@ -300355,11 +300357,11 @@ which the system will be deployed as closely as possible.The SELinux 'unconfined_mozilla_plugin_transition' boolean should be set in the system configuration. - + - + Disable the unprivuser_use_svirt SELinux Boolean @@ -300368,11 +300370,11 @@ which the system will be deployed as closely as possible.The SELinux 'unprivuser_use_svirt' boolean should be set in the system configuration. - + - + Disable the use_ecryptfs_home_dirs SELinux Boolean @@ -300381,11 +300383,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_ecryptfs_home_dirs' boolean should be set in the system configuration. - + - + Disable the use_fusefs_home_dirs SELinux Boolean @@ -300394,11 +300396,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_fusefs_home_dirs' boolean should be set in the system configuration. - + - + Disable the use_lpd_server SELinux Boolean @@ -300407,11 +300409,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_lpd_server' boolean should be set in the system configuration. - + - + Disable the use_nfs_home_dirs SELinux Boolean @@ -300420,11 +300422,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_nfs_home_dirs' boolean should be set in the system configuration. - + - + Disable the use_samba_home_dirs SELinux Boolean @@ -300433,11 +300435,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_samba_home_dirs' boolean should be set in the system configuration. - + - + Enable the user_exec_content SELinux Boolean @@ -300446,11 +300448,11 @@ which the system will be deployed as closely as possible.The SELinux 'user_exec_content' boolean should be set in the system configuration. - + - + Disable the varnishd_connect_any SELinux Boolean @@ -300459,11 +300461,11 @@ which the system will be deployed as closely as possible.The SELinux 'varnishd_connect_any' boolean should be set in the system configuration. - + - + Disable the virt_read_qemu_ga_data SELinux Boolean @@ -300472,11 +300474,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_read_qemu_ga_data' boolean should be set in the system configuration. - + - + Disable the virt_rw_qemu_ga_data SELinux Boolean @@ -300485,11 +300487,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_rw_qemu_ga_data' boolean should be set in the system configuration. - + - + Disable the virt_sandbox_use_all_caps SELinux Boolean @@ -300498,11 +300500,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_all_caps' boolean should be set in the system configuration. - + - + Enable the virt_sandbox_use_audit SELinux Boolean @@ -300511,11 +300513,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_audit' boolean should be set in the system configuration. - + - + Disable the virt_sandbox_use_mknod SELinux Boolean @@ -300524,11 +300526,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_mknod' boolean should be set in the system configuration. - + - + Disable the virt_sandbox_use_netlink SELinux Boolean @@ -300537,11 +300539,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_netlink' boolean should be set in the system configuration. - + - + Disable the virt_sandbox_use_sys_admin SELinux Boolean @@ -300550,11 +300552,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_sys_admin' boolean should be set in the system configuration. - + - + Disable the virt_transition_userdomain SELinux Boolean @@ -300563,11 +300565,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_transition_userdomain' boolean should be set in the system configuration. - + - + Disable the virt_use_comm SELinux Boolean @@ -300576,11 +300578,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_comm' boolean should be set in the system configuration. - + - + Disable the virt_use_execmem SELinux Boolean @@ -300590,11 +300592,11 @@ which the system will be deployed as closely as possible. - + - + Disable the virt_use_fusefs SELinux Boolean @@ -300603,11 +300605,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_fusefs' boolean should be set in the system configuration. - + - + Disable the virt_use_nfs SELinux Boolean @@ -300616,11 +300618,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_nfs' boolean should be set in the system configuration. - + - + Disable the virt_use_rawip SELinux Boolean @@ -300629,11 +300631,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_rawip' boolean should be set in the system configuration. - + - + Disable the virt_use_samba SELinux Boolean @@ -300642,11 +300644,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_samba' boolean should be set in the system configuration. - + - + Disable the virt_use_sanlock SELinux Boolean @@ -300655,11 +300657,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_sanlock' boolean should be set in the system configuration. - + - + Disable the virt_use_usb SELinux Boolean @@ -300668,11 +300670,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_usb' boolean should be set in the system configuration. - + - + Disable the virt_use_xserver SELinux Boolean @@ -300681,11 +300683,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_xserver' boolean should be set in the system configuration. - + - + Disable the webadm_manage_user_files SELinux Boolean @@ -300694,11 +300696,11 @@ which the system will be deployed as closely as possible.The SELinux 'webadm_manage_user_files' boolean should be set in the system configuration. - + - + Disable the webadm_read_user_files SELinux Boolean @@ -300707,11 +300709,11 @@ which the system will be deployed as closely as possible.The SELinux 'webadm_read_user_files' boolean should be set in the system configuration. - + - + Disable the wine_mmap_zero_ignore SELinux Boolean @@ -300720,11 +300722,11 @@ which the system will be deployed as closely as possible.The SELinux 'wine_mmap_zero_ignore' boolean should be set in the system configuration. - + - + Disable the xdm_bind_vnc_tcp_port SELinux Boolean @@ -300733,11 +300735,11 @@ which the system will be deployed as closely as possible.The SELinux 'xdm_bind_vnc_tcp_port' boolean should be set in the system configuration. - + - + Disable the xdm_exec_bootloader SELinux Boolean @@ -300746,11 +300748,11 @@ which the system will be deployed as closely as possible.The SELinux 'xdm_exec_bootloader' boolean should be set in the system configuration. - + - + Disable the xdm_sysadm_login SELinux Boolean @@ -300759,11 +300761,11 @@ which the system will be deployed as closely as possible.The SELinux 'xdm_sysadm_login' boolean should be set in the system configuration. - + - + Disable the xdm_write_home SELinux Boolean @@ -300772,11 +300774,11 @@ which the system will be deployed as closely as possible.The SELinux 'xdm_write_home' boolean should be set in the system configuration. - + - + Disable the xen_use_nfs SELinux Boolean @@ -300785,11 +300787,11 @@ which the system will be deployed as closely as possible.The SELinux 'xen_use_nfs' boolean should be set in the system configuration. - + - + Enable the xend_run_blktap SELinux Boolean @@ -300798,11 +300800,11 @@ which the system will be deployed as closely as possible.The SELinux 'xend_run_blktap' boolean should be set in the system configuration. - + - + Enable the xend_run_qemu SELinux Boolean @@ -300811,11 +300813,11 @@ which the system will be deployed as closely as possible.The SELinux 'xend_run_qemu' boolean should be set in the system configuration. - + - + Disable the xguest_connect_network SELinux Boolean @@ -300824,11 +300826,11 @@ which the system will be deployed as closely as possible.The SELinux 'xguest_connect_network' boolean should be set in the system configuration. - + - + Disable the xguest_exec_content SELinux Boolean @@ -300837,11 +300839,11 @@ which the system will be deployed as closely as possible.The SELinux 'xguest_exec_content' boolean should be set in the system configuration. - + - + Disable the xguest_mount_media SELinux Boolean @@ -300850,11 +300852,11 @@ which the system will be deployed as closely as possible.The SELinux 'xguest_mount_media' boolean should be set in the system configuration. - + - + Disable the xguest_use_bluetooth SELinux Boolean @@ -300863,11 +300865,11 @@ which the system will be deployed as closely as possible.The SELinux 'xguest_use_bluetooth' boolean should be set in the system configuration. - + - + Disable the xserver_clients_write_xshm SELinux Boolean @@ -300876,11 +300878,11 @@ which the system will be deployed as closely as possible.The SELinux 'xserver_clients_write_xshm' boolean should be set in the system configuration. - + - + Disable the xserver_execmem SELinux Boolean @@ -300890,11 +300892,11 @@ which the system will be deployed as closely as possible. - + - + Disable the xserver_object_manager SELinux Boolean @@ -300903,11 +300905,11 @@ which the system will be deployed as closely as possible.The SELinux 'xserver_object_manager' boolean should be set in the system configuration. - + - + Disable the zabbix_can_network SELinux Boolean @@ -300916,11 +300918,11 @@ which the system will be deployed as closely as possible.The SELinux 'zabbix_can_network' boolean should be set in the system configuration. - + - + Disable the zarafa_setrlimit SELinux Boolean @@ -300929,11 +300931,11 @@ which the system will be deployed as closely as possible.The SELinux 'zarafa_setrlimit' boolean should be set in the system configuration. - + - + Disable the zebra_write_config SELinux Boolean @@ -300942,11 +300944,11 @@ which the system will be deployed as closely as possible.The SELinux 'zebra_write_config' boolean should be set in the system configuration. - + - + Disable the zoneminder_anon_write SELinux Boolean @@ -300955,11 +300957,11 @@ which the system will be deployed as closely as possible.The SELinux 'zoneminder_anon_write' boolean should be set in the system configuration. - + - + Disable the zoneminder_run_sudo SELinux Boolean @@ -300968,11 +300970,11 @@ which the system will be deployed as closely as possible.The SELinux 'zoneminder_run_sudo' boolean should be set in the system configuration. - + - + Disable Automatic Bug Reporting Tool (abrtd) @@ -300984,13 +300986,13 @@ which the system will be deployed as closely as possible. - + - + Disable Advanced Configuration and Power Interface (acpid) @@ -301002,13 +301004,13 @@ which the system will be deployed as closely as possible. - + - + Disable At Service (atd) @@ -301020,13 +301022,13 @@ which the system will be deployed as closely as possible. - + - + Enable auditd Service @@ -301040,14 +301042,14 @@ which the system will be deployed as closely as possible. - + - + Disable the Automounter @@ -301059,13 +301061,13 @@ which the system will be deployed as closely as possible. - + - + Disable Avahi Server Software @@ -301077,13 +301079,13 @@ which the system will be deployed as closely as possible. - + - + Disable Bluetooth Service @@ -301094,13 +301096,13 @@ which the system will be deployed as closely as possible. - + - + Disable Certmonger Service (certmonger) @@ -301112,13 +301114,13 @@ which the system will be deployed as closely as possible. - + - + The Chronyd service is enabled @@ -301132,14 +301134,14 @@ which the system will be deployed as closely as possible. - + - + Disable Cockpit Management Server @@ -301150,13 +301152,13 @@ which the system will be deployed as closely as possible. - + - + Disable CPU Speed (cpupower) @@ -301168,13 +301170,13 @@ which the system will be deployed as closely as possible. - + - + Enable cron Service @@ -301187,14 +301189,14 @@ which the system will be deployed as closely as possible. - + - + Enable cron Service @@ -301208,14 +301210,14 @@ which the system will be deployed as closely as possible. - + - + Disable the CUPS Service @@ -301227,13 +301229,13 @@ which the system will be deployed as closely as possible. - + - + Disable debug-shell SystemD Service @@ -301245,13 +301247,13 @@ which the system will be deployed as closely as possible. - + - + Disable DHCP Service @@ -301263,13 +301265,13 @@ which the system will be deployed as closely as possible. - + - + Disable Dovecot Service @@ -301281,13 +301283,13 @@ which the system will be deployed as closely as possible. - + - + Enable the File Access Policy Service @@ -301301,14 +301303,14 @@ which the system will be deployed as closely as possible. - + - + Verify firewalld Enabled @@ -301322,14 +301324,14 @@ which the system will be deployed as closely as possible. - + - + Disable httpd Service @@ -301341,13 +301343,13 @@ which the system will be deployed as closely as possible. - + - + Verify ip6tables Enabled if Using IPv6 @@ -301361,14 +301363,14 @@ which the system will be deployed as closely as possible. - + - + Verify iptables Enabled @@ -301382,14 +301384,14 @@ which the system will be deployed as closely as possible. - + - + Disable KDump Kernel Crash Analyzer (kdump) @@ -301401,13 +301403,13 @@ which the system will be deployed as closely as possible. - + - + Disable Software RAID Monitor (mdmonitor) @@ -301419,13 +301421,13 @@ which the system will be deployed as closely as possible. - + - + Enable nails Service @@ -301438,14 +301440,14 @@ which the system will be deployed as closely as possible. - + - + Disable named Service @@ -301457,13 +301459,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network Console (netconsole) @@ -301475,13 +301477,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network File Systems (netfs) @@ -301492,13 +301494,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network File System (nfs) @@ -301510,13 +301512,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network File System Lock Service (nfslock) @@ -301527,13 +301529,13 @@ which the system will be deployed as closely as possible. - + - + Verify nftables Service is Disabled @@ -301545,13 +301547,13 @@ which the system will be deployed as closely as possible. - + - + Verify nftables Service is Enabled @@ -301565,14 +301567,14 @@ which the system will be deployed as closely as possible. - + - + Enable the NTP Daemon @@ -301585,14 +301587,14 @@ which the system will be deployed as closely as possible. - + - + Enable the NTP Daemon @@ -301605,14 +301607,14 @@ which the system will be deployed as closely as possible. - + - + Disable ntpdate Service (ntpdate) @@ -301624,13 +301626,13 @@ which the system will be deployed as closely as possible. - + - + Disable Odd Job Daemon (oddjobd) @@ -301642,13 +301644,13 @@ which the system will be deployed as closely as possible. - + - + Enable the pcscd Service @@ -301662,14 +301664,14 @@ which the system will be deployed as closely as possible. - + - + Disable Portreserve (portreserve) @@ -301681,13 +301683,13 @@ which the system will be deployed as closely as possible. - + - + Enable Postfix Service @@ -301700,14 +301702,14 @@ which the system will be deployed as closely as possible. - + - + Enable Process Accounting (psacct) @@ -301721,14 +301723,14 @@ which the system will be deployed as closely as possible. - + - + Disable Apache Qpid (qpidd) @@ -301740,13 +301742,13 @@ which the system will be deployed as closely as possible. - + - + Disable Quota Netlink (quota_nld) @@ -301758,13 +301760,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network Router Discovery Daemon (rdisc) @@ -301776,13 +301778,13 @@ which the system will be deployed as closely as possible. - + - + Disable rexec Service @@ -301794,13 +301796,13 @@ which the system will be deployed as closely as possible. - + - + Disable Red Hat Network Service (rhnsd) @@ -301812,13 +301814,13 @@ which the system will be deployed as closely as possible. - + - + Disable Red Hat Subscription Manager Daemon (rhsmcertd) @@ -301830,13 +301832,13 @@ which the system will be deployed as closely as possible. - + - + Disable rlogin Service @@ -301848,13 +301850,13 @@ which the system will be deployed as closely as possible. - + - + Enable the Hardware RNG Entropy Gatherer Service @@ -301868,14 +301870,14 @@ which the system will be deployed as closely as possible. - + - + Disable rpcbind Service @@ -301887,13 +301889,13 @@ which the system will be deployed as closely as possible. - + - + Disable Secure RPC Client Service (rpcgssd) @@ -301904,13 +301906,13 @@ which the system will be deployed as closely as possible. - + - + Disable RPC ID Mapping Service (rpcidmapd) @@ -301921,13 +301923,13 @@ which the system will be deployed as closely as possible. - + - + Disable Secure RPC Server Service (rpcsvcgssd) @@ -301938,13 +301940,13 @@ which the system will be deployed as closely as possible. - + - + Disable rsh Service @@ -301956,13 +301958,13 @@ which the system will be deployed as closely as possible. - + - + Ensure rsyncd service is disabled @@ -301974,13 +301976,13 @@ which the system will be deployed as closely as possible. - + - + Enable rsyslog Service @@ -301994,14 +301996,14 @@ which the system will be deployed as closely as possible. - + - + Disable Cyrus SASL Authentication Daemon (saslauthd) @@ -302013,13 +302015,13 @@ which the system will be deployed as closely as possible. - + - + Disable LDAP Server (slapd) @@ -302031,13 +302033,13 @@ which the system will be deployed as closely as possible. - + - + Disable Samba @@ -302049,13 +302051,13 @@ which the system will be deployed as closely as possible. - + - + Disable snmpd Service @@ -302067,13 +302069,13 @@ which the system will be deployed as closely as possible. - + - + Disable Squid @@ -302085,13 +302087,13 @@ which the system will be deployed as closely as possible. - + - + Disable SSH Server If Possible @@ -302102,13 +302104,13 @@ which the system will be deployed as closely as possible. - + - + Enable the OpenSSH Service @@ -302122,14 +302124,14 @@ which the system will be deployed as closely as possible. - + - + Enable the SSSD Service @@ -302143,14 +302145,14 @@ which the system will be deployed as closely as possible. - + - + service_syslog_disabled @@ -302161,13 +302163,13 @@ which the system will be deployed as closely as possible. - + - + Enable syslog-ng Service @@ -302180,14 +302182,14 @@ which the system will be deployed as closely as possible. - + - + Disable System Statistics Reset Service (sysstat) @@ -302199,13 +302201,13 @@ which the system will be deployed as closely as possible. - + - + Disable acquiring, saving, and processing core dumps @@ -302215,11 +302217,11 @@ which the system will be deployed as closely as possible. - + - + Enable systemd-journald Service @@ -302233,14 +302235,14 @@ which the system will be deployed as closely as possible. - + - + Disable telnet Service @@ -302252,13 +302254,13 @@ which the system will be deployed as closely as possible. - + - + Disable tftp Service @@ -302270,13 +302272,13 @@ which the system will be deployed as closely as possible. - + - + Verify ufw Enabled @@ -302289,14 +302291,14 @@ which the system will be deployed as closely as possible. - + - + Enable the USBGuard Service @@ -302310,14 +302312,14 @@ which the system will be deployed as closely as possible. - + - + Disable vsftpd Service @@ -302329,13 +302331,13 @@ which the system will be deployed as closely as possible. - + - + Disable xinetd Service @@ -302347,13 +302349,13 @@ which the system will be deployed as closely as possible. - + - + Disable ypbind Service @@ -302365,13 +302367,13 @@ which the system will be deployed as closely as possible. - + - + Disable ypserv Service @@ -302383,13 +302385,13 @@ which the system will be deployed as closely as possible. - + - + Disable Quagga Service @@ -302401,13 +302403,27 @@ which the system will be deployed as closely as possible. - + - + + + Set Default firewalld Zone for Incoming Packets + + Red Hat Enterprise Linux 8 + + Check presence of DefaultZone=drop in /etc/firewalld/firewalld.conf + + + + + + + + Disable systemd-journal-remote Socket @@ -302417,11 +302433,11 @@ which the system will be deployed as closely as possible. - + - + Disable SSH Access via Empty Passwords @@ -302448,7 +302464,7 @@ which the system will be deployed as closely as possible. - + Disable GSSAPI Authentication @@ -302475,7 +302491,7 @@ which the system will be deployed as closely as possible. - + Disable Kerberos Authentication @@ -302502,7 +302518,7 @@ which the system will be deployed as closely as possible. - + Disable PubkeyAuthentication Authentication @@ -302529,7 +302545,7 @@ which the system will be deployed as closely as possible. - + Disable SSH Support for .rhosts Files @@ -302556,7 +302572,7 @@ which the system will be deployed as closely as possible. - + Disable SSH Root Login @@ -302583,7 +302599,7 @@ which the system will be deployed as closely as possible. - + Disable SSH root Login with a Password (Insecure) @@ -302609,7 +302625,7 @@ which the system will be deployed as closely as possible. - + Disable SSH TCP Forwarding @@ -302636,7 +302652,7 @@ which the system will be deployed as closely as possible. - + Disable SSH Support for User Known Hosts @@ -302663,7 +302679,7 @@ which the system will be deployed as closely as possible. - + Disable X11 Forwarding @@ -302690,7 +302706,7 @@ which the system will be deployed as closely as possible. - + Do Not Allow SSH Environment Options @@ -302717,7 +302733,7 @@ which the system will be deployed as closely as possible. - + Enable GSSAPI Authentication @@ -302743,7 +302759,7 @@ which the system will be deployed as closely as possible. - + Enable PAM @@ -302770,7 +302786,7 @@ which the system will be deployed as closely as possible. - + Enable Public Key Authentication @@ -302796,7 +302812,7 @@ which the system will be deployed as closely as possible. - + Enable Use of Strict Mode Checking @@ -302823,7 +302839,7 @@ which the system will be deployed as closely as possible. - + Enable SSH Warning Banner @@ -302850,7 +302866,7 @@ which the system will be deployed as closely as possible. - + Enable SSH Warning Banner @@ -302877,7 +302893,7 @@ which the system will be deployed as closely as possible. - + Enable Encrypted X11 Forwarding @@ -302904,7 +302920,7 @@ which the system will be deployed as closely as possible. - + sshd_includes_config_files @@ -302913,11 +302929,11 @@ which the system will be deployed as closely as possible.Check presence of Include /etc/ssh/sshd_config.d/*.conf in /etc/ssh/sshd_config - + - + Enable SSH Print Last Log @@ -302944,7 +302960,7 @@ which the system will be deployed as closely as possible. - + Set SSH Client Alive Count Max to zero @@ -302971,7 +302987,7 @@ which the system will be deployed as closely as possible. - + Set LogLevel to INFO @@ -302998,7 +303014,7 @@ which the system will be deployed as closely as possible. - + Set SSH Daemon LogLevel to VERBOSE @@ -303025,7 +303041,7 @@ which the system will be deployed as closely as possible. - + SSH server uses strong entropy to seed @@ -303039,7 +303055,7 @@ which the system will be deployed as closely as possible. - + Prevent remote hosts from connecting to the proxy display @@ -303066,7 +303082,7 @@ which the system will be deployed as closely as possible. - + Enable Certmap in SSSD @@ -303076,11 +303092,11 @@ which the system will be deployed as closely as possible. - + - + Ensure sudo Runs In A Minimal Environment - sudo env_reset @@ -303090,11 +303106,11 @@ which the system will be deployed as closely as possible. - + - + Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot @@ -303104,11 +303120,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC @@ -303118,11 +303134,11 @@ which the system will be deployed as closely as possible. - + - + Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout @@ -303132,11 +303148,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty @@ -303146,11 +303162,11 @@ which the system will be deployed as closely as possible. - + - + Ensure sudo umask is appropriate - sudo umask @@ -303160,11 +303176,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty @@ -303174,11 +303190,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Sudo Logfile Exists - sudo logfile @@ -303188,11 +303204,11 @@ which the system will be deployed as closely as possible. - + - + Ensure only owner and members of group owner of /usr/bin/sudo can execute it @@ -303204,11 +303220,11 @@ which the system will be deployed as closely as possible. - + - + Enable Kernel Parameter to Enforce DAC on Hardlinks @@ -303223,7 +303239,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Hardlinks @@ -303236,7 +303252,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Hardlinks @@ -303253,7 +303269,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Symlinks @@ -303268,7 +303284,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Symlinks @@ -303281,7 +303297,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Symlinks @@ -303298,7 +303314,7 @@ which the system will be deployed as closely as possible. - + Disable Core Dumps for SUID programs @@ -303313,7 +303329,7 @@ which the system will be deployed as closely as possible. - + Disable Core Dumps for SUID programs @@ -303326,7 +303342,7 @@ which the system will be deployed as closely as possible. - + Disable Core Dumps for SUID programs @@ -303343,7 +303359,7 @@ which the system will be deployed as closely as possible. - + Disable storing core dumps @@ -303358,7 +303374,7 @@ which the system will be deployed as closely as possible. - + Disable storing core dumps @@ -303371,7 +303387,7 @@ which the system will be deployed as closely as possible. - + Disable storing core dumps @@ -303388,7 +303404,7 @@ which the system will be deployed as closely as possible. - + Configure file name of core dumps @@ -303402,7 +303418,7 @@ which the system will be deployed as closely as possible. - + Configure file name of core dumps @@ -303415,7 +303431,7 @@ which the system will be deployed as closely as possible. - + Configure file name of core dumps @@ -303432,7 +303448,7 @@ which the system will be deployed as closely as possible. - + Restrict Access to Kernel Message Buffer @@ -303447,7 +303463,7 @@ which the system will be deployed as closely as possible. - + Restrict Access to Kernel Message Buffer @@ -303460,7 +303476,7 @@ which the system will be deployed as closely as possible. - + Restrict Access to Kernel Message Buffer @@ -303477,7 +303493,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Image Loading @@ -303492,7 +303508,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Image Loading @@ -303505,7 +303521,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Image Loading @@ -303522,7 +303538,7 @@ which the system will be deployed as closely as possible. - + Restrict Exposed Kernel Pointer Addresses Access @@ -303537,7 +303553,7 @@ which the system will be deployed as closely as possible. - + Restrict Exposed Kernel Pointer Addresses Access @@ -303550,7 +303566,7 @@ which the system will be deployed as closely as possible. - + Restrict Exposed Kernel Pointer Addresses Access @@ -303567,7 +303583,7 @@ which the system will be deployed as closely as possible. - + Disable loading and unloading of kernel modules @@ -303582,7 +303598,7 @@ which the system will be deployed as closely as possible. - + Disable loading and unloading of kernel modules @@ -303595,7 +303611,7 @@ which the system will be deployed as closely as possible. - + Disable loading and unloading of kernel modules @@ -303612,7 +303628,7 @@ which the system will be deployed as closely as possible. - + Kernel panic on oops @@ -303627,7 +303643,7 @@ which the system will be deployed as closely as possible. - + Kernel panic on oops @@ -303640,7 +303656,7 @@ which the system will be deployed as closely as possible. - + Kernel panic on oops @@ -303657,7 +303673,7 @@ which the system will be deployed as closely as possible. - + Limit CPU consumption of the Perf system @@ -303672,7 +303688,7 @@ which the system will be deployed as closely as possible. - + Limit CPU consumption of the Perf system @@ -303685,7 +303701,7 @@ which the system will be deployed as closely as possible. - + Limit CPU consumption of the Perf system @@ -303702,7 +303718,7 @@ which the system will be deployed as closely as possible. - + Limit sampling frequency of the Perf system @@ -303717,7 +303733,7 @@ which the system will be deployed as closely as possible. - + Limit sampling frequency of the Perf system @@ -303730,7 +303746,7 @@ which the system will be deployed as closely as possible. - + Limit sampling frequency of the Perf system @@ -303747,7 +303763,7 @@ which the system will be deployed as closely as possible. - + Disallow kernel profiling by unprivileged users @@ -303762,7 +303778,7 @@ which the system will be deployed as closely as possible. - + Disallow kernel profiling by unprivileged users @@ -303775,7 +303791,7 @@ which the system will be deployed as closely as possible. - + Disallow kernel profiling by unprivileged users @@ -303792,7 +303808,7 @@ which the system will be deployed as closely as possible. - + Configure maximum number of process identifiers @@ -303807,7 +303823,7 @@ which the system will be deployed as closely as possible. - + Configure maximum number of process identifiers @@ -303820,7 +303836,7 @@ which the system will be deployed as closely as possible. - + Configure maximum number of process identifiers @@ -303837,7 +303853,7 @@ which the system will be deployed as closely as possible. - + Enable Randomized Layout of Virtual Address Space @@ -303852,7 +303868,7 @@ which the system will be deployed as closely as possible. - + Enable Randomized Layout of Virtual Address Space @@ -303865,7 +303881,7 @@ which the system will be deployed as closely as possible. - + Enable Randomized Layout of Virtual Address Space @@ -303882,7 +303898,7 @@ which the system will be deployed as closely as possible. - + Disallow magic SysRq key @@ -303897,7 +303913,7 @@ which the system will be deployed as closely as possible. - + Disallow magic SysRq key @@ -303910,7 +303926,7 @@ which the system will be deployed as closely as possible. - + Disallow magic SysRq key @@ -303927,7 +303943,7 @@ which the system will be deployed as closely as possible. - + Disable Access to Network bpf() Syscall From Unprivileged Processes @@ -303942,7 +303958,7 @@ which the system will be deployed as closely as possible. - + Disable Access to Network bpf() Syscall From Unprivileged Processes @@ -303955,7 +303971,7 @@ which the system will be deployed as closely as possible. - + Disable Access to Network bpf() Syscall From Unprivileged Processes @@ -303972,7 +303988,7 @@ which the system will be deployed as closely as possible. - + Restrict usage of ptrace to descendant processes @@ -303987,7 +304003,7 @@ which the system will be deployed as closely as possible. - + Restrict usage of ptrace to descendant processes @@ -304000,7 +304016,7 @@ which the system will be deployed as closely as possible. - + Restrict usage of ptrace to descendant processes @@ -304017,7 +304033,7 @@ which the system will be deployed as closely as possible. - + Harden the operation of the BPF just-in-time compiler @@ -304032,7 +304048,7 @@ which the system will be deployed as closely as possible. - + Harden the operation of the BPF just-in-time compiler @@ -304045,7 +304061,7 @@ which the system will be deployed as closely as possible. - + Harden the operation of the BPF just-in-time compiler @@ -304062,7 +304078,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Packets Routed Between Local Interfaces @@ -304077,7 +304093,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Packets Routed Between Local Interfaces @@ -304090,7 +304106,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Packets Routed Between Local Interfaces @@ -304107,7 +304123,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv4 Interfaces @@ -304122,7 +304138,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv4 Interfaces @@ -304135,7 +304151,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv4 Interfaces @@ -304152,7 +304168,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces @@ -304167,7 +304183,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces @@ -304180,7 +304196,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces @@ -304197,7 +304213,7 @@ which the system will be deployed as closely as possible. - + Configure ARP filtering for All IPv4 Interfaces @@ -304212,7 +304228,7 @@ which the system will be deployed as closely as possible. - + Configure ARP filtering for All IPv4 Interfaces @@ -304225,7 +304241,7 @@ which the system will be deployed as closely as possible. - + Configure ARP filtering for All IPv4 Interfaces @@ -304242,7 +304258,7 @@ which the system will be deployed as closely as possible. - + Configure Response Mode of ARP Requests for All IPv4 Interfaces @@ -304257,7 +304273,7 @@ which the system will be deployed as closely as possible. - + Configure Response Mode of ARP Requests for All IPv4 Interfaces @@ -304270,7 +304286,7 @@ which the system will be deployed as closely as possible. - + Configure Response Mode of ARP Requests for All IPv4 Interfaces @@ -304287,7 +304303,7 @@ which the system will be deployed as closely as possible. - + Drop Gratuitious ARP frames on All IPv4 Interfaces @@ -304302,7 +304318,7 @@ which the system will be deployed as closely as possible. - + Drop Gratuitious ARP frames on All IPv4 Interfaces @@ -304315,7 +304331,7 @@ which the system will be deployed as closely as possible. - + Drop Gratuitious ARP frames on All IPv4 Interfaces @@ -304332,7 +304348,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces @@ -304347,7 +304363,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces @@ -304360,7 +304376,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces @@ -304377,7 +304393,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces @@ -304392,7 +304408,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces @@ -304405,7 +304421,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces @@ -304422,7 +304438,7 @@ which the system will be deployed as closely as possible. - + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces @@ -304437,7 +304453,7 @@ which the system will be deployed as closely as possible. - + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces @@ -304450,7 +304466,7 @@ which the system will be deployed as closely as possible. - + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces @@ -304467,7 +304483,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces @@ -304482,7 +304498,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces @@ -304495,7 +304511,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces @@ -304512,7 +304528,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces @@ -304527,7 +304543,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces @@ -304540,7 +304556,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces @@ -304557,7 +304573,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces @@ -304572,7 +304588,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces @@ -304585,7 +304601,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces @@ -304602,7 +304618,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces @@ -304617,7 +304633,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces @@ -304630,7 +304646,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces @@ -304647,7 +304663,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces @@ -304662,7 +304678,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces @@ -304675,7 +304691,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces @@ -304692,7 +304708,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default @@ -304707,7 +304723,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default @@ -304720,7 +304736,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default @@ -304737,7 +304753,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default @@ -304752,7 +304768,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default @@ -304765,7 +304781,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default @@ -304782,7 +304798,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default @@ -304797,7 +304813,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default @@ -304810,7 +304826,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default @@ -304827,7 +304843,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel Parameter for Accepting Secure Redirects By Default @@ -304842,7 +304858,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel Parameter for Accepting Secure Redirects By Default @@ -304855,7 +304871,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel Parameter for Accepting Secure Redirects By Default @@ -304872,7 +304888,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default @@ -304887,7 +304903,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default @@ -304900,7 +304916,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default @@ -304917,7 +304933,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects by Default @@ -304932,7 +304948,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects by Default @@ -304945,7 +304961,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects by Default @@ -304962,7 +304978,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces @@ -304977,7 +304993,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces @@ -304990,7 +305006,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces @@ -305007,7 +305023,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces @@ -305022,7 +305038,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces @@ -305035,7 +305051,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces @@ -305052,7 +305068,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces @@ -305067,7 +305083,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces @@ -305080,7 +305096,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces @@ -305097,7 +305113,7 @@ which the system will be deployed as closely as possible. - + Set Kernel Parameter to Increase Local Port Range @@ -305112,7 +305128,7 @@ which the system will be deployed as closely as possible. - + Set Kernel Parameter to Increase Local Port Range @@ -305125,7 +305141,7 @@ which the system will be deployed as closely as possible. - + Set Kernel Parameter to Increase Local Port Range @@ -305142,7 +305158,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments @@ -305156,7 +305172,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments @@ -305169,7 +305185,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments @@ -305186,7 +305202,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces @@ -305201,7 +305217,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces @@ -305214,7 +305230,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces @@ -305231,7 +305247,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces @@ -305246,7 +305262,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces @@ -305259,7 +305275,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces @@ -305276,7 +305292,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Advertisements on All IPv6 Interfaces @@ -305294,7 +305310,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Advertisements on All IPv6 Interfaces @@ -305307,7 +305323,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Advertisements on All IPv6 Interfaces @@ -305324,7 +305340,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces @@ -305342,7 +305358,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces @@ -305355,7 +305371,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces @@ -305372,7 +305388,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces @@ -305390,7 +305406,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces @@ -305403,7 +305419,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces @@ -305420,7 +305436,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces @@ -305438,7 +305454,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces @@ -305451,7 +305467,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces @@ -305468,7 +305484,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv6 Interfaces @@ -305486,7 +305502,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv6 Interfaces @@ -305499,7 +305515,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv6 Interfaces @@ -305516,7 +305532,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces @@ -305534,7 +305550,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces @@ -305547,7 +305563,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces @@ -305564,7 +305580,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces @@ -305582,7 +305598,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces @@ -305595,7 +305611,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces @@ -305612,7 +305628,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on All IPv6 Interfaces @@ -305630,7 +305646,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on All IPv6 Interfaces @@ -305643,7 +305659,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on All IPv6 Interfaces @@ -305660,7 +305676,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv6 Forwarding @@ -305678,7 +305694,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv6 Forwarding @@ -305691,7 +305707,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv6 Forwarding @@ -305708,7 +305724,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces @@ -305726,7 +305742,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces @@ -305739,7 +305755,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces @@ -305756,7 +305772,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces @@ -305774,7 +305790,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces @@ -305787,7 +305803,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces @@ -305804,7 +305820,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default @@ -305822,7 +305838,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default @@ -305835,7 +305851,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default @@ -305852,7 +305868,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default @@ -305870,7 +305886,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default @@ -305883,7 +305899,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default @@ -305900,7 +305916,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default @@ -305918,7 +305934,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default @@ -305931,7 +305947,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default @@ -305948,7 +305964,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default @@ -305966,7 +305982,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default @@ -305979,7 +305995,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default @@ -305996,7 +306012,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces @@ -306014,7 +306030,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces @@ -306027,7 +306043,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces @@ -306044,7 +306060,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default @@ -306062,7 +306078,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default @@ -306075,7 +306091,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default @@ -306092,7 +306108,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces By Default @@ -306110,7 +306126,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces By Default @@ -306123,7 +306139,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces By Default @@ -306140,7 +306156,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on IPv6 Interfaces by Default @@ -306158,7 +306174,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on IPv6 Interfaces by Default @@ -306171,7 +306187,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on IPv6 Interfaces by Default @@ -306188,7 +306204,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default @@ -306206,7 +306222,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default @@ -306219,7 +306235,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default @@ -306236,7 +306252,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces By Default @@ -306254,7 +306270,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces By Default @@ -306267,7 +306283,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces By Default @@ -306284,7 +306300,7 @@ which the system will be deployed as closely as possible. - + Disable the use of user namespaces @@ -306299,7 +306315,7 @@ which the system will be deployed as closely as possible. - + Disable the use of user namespaces @@ -306312,7 +306328,7 @@ which the system will be deployed as closely as possible. - + Disable the use of user namespaces @@ -306329,7 +306345,7 @@ which the system will be deployed as closely as possible. - + Prevent applications from mapping low portion of virtual memory @@ -306344,7 +306360,7 @@ which the system will be deployed as closely as possible. - + Prevent applications from mapping low portion of virtual memory @@ -306357,7 +306373,7 @@ which the system will be deployed as closely as possible. - + Prevent applications from mapping low portion of virtual memory @@ -306374,7 +306390,7 @@ which the system will be deployed as closely as possible. - + Enable dnf-automatic Timer @@ -306392,7 +306408,7 @@ which the system will be deployed as closely as possible. - + Enable logrotate Timer @@ -306410,7 +306426,7 @@ which the system will be deployed as closely as possible. - + Enable Auditing to Start Prior to the Audit Daemon in zIPL @@ -306425,7 +306441,7 @@ which the system will be deployed as closely as possible. - + Extend Audit Backlog Limit for the Audit Daemon in zIPL @@ -306440,7 +306456,7 @@ which the system will be deployed as closely as possible. - + Enable page allocator poisoning in zIPL @@ -306455,7 +306471,7 @@ which the system will be deployed as closely as possible. - + Enable SLUB/SLAB allocator poisoning in zIPL @@ -306470,7 +306486,7 @@ which the system will be deployed as closely as possible. - + Disable vsyscalls in zIPL @@ -306485,7 +306501,7 @@ which the system will be deployed as closely as possible. - + Check pam_faillock Existence in system-auth @@ -306494,11 +306510,11 @@ which the system will be deployed as closely as possible.Check that pam_faillock.so exists in system-auth - + - + Check pam_pwquality Existence in system-auth @@ -306507,11 +306523,11 @@ which the system will be deployed as closely as possible.Check that pam_pwquality.so exists in system-auth - + - + Record Any Attempts to Run semanage @@ -306520,11 +306536,11 @@ which the system will be deployed as closely as possible.Test if auditctl is in use for audit rules. - + - + Record Any Attempts to Run semanage @@ -306533,11 +306549,11 @@ which the system will be deployed as closely as possible.Test if augenrules is enabled for audit rules. - + - + Record Events that Modify the System's Network Environment @@ -306552,7 +306568,7 @@ which the system will be deployed as closely as possible. - + @@ -306560,13 +306576,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Network Environment @@ -306581,7 +306597,7 @@ which the system will be deployed as closely as possible. - + @@ -306589,13 +306605,13 @@ which the system will be deployed as closely as possible. - + - + 'log_file' Not Set In /etc/audit/auditd.conf @@ -306605,10 +306621,10 @@ which the system will be deployed as closely as possible. - + - + 'log_group' Not Set To 'root' In /etc/audit/auditd.conf @@ -306619,11 +306635,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify GRUB_DISABLE_RECOVERY Set to true @@ -306633,11 +306649,11 @@ which the system will be deployed as closely as possible. - - + + - + Specify Multiple Remote chronyd NTP Servers for Time Data @@ -306646,11 +306662,11 @@ which the system will be deployed as closely as possible.Multiple chronyd NTP Servers for time synchronization should be specified. - + - + GRUB_CMDLINE_LINUX_DEFAULT existance check @@ -306660,10 +306676,10 @@ which the system will be deployed as closely as possible. - + - + Use $kernelopts in /boot/loader/entries/*.conf @@ -306673,10 +306689,10 @@ which the system will be deployed as closely as possible. - + - + Install McAfee Host-Based Intrusion Detection Software (HBSS) @@ -306693,7 +306709,7 @@ which the system will be deployed as closely as possible. - + Anolis OS 23 @@ -306708,7 +306724,7 @@ which the system will be deployed as closely as possible. - + CentOS 7 @@ -306724,7 +306740,7 @@ which the system will be deployed as closely as possible. - + CentOS 8 @@ -306741,7 +306757,7 @@ which the system will be deployed as closely as possible. - + CentOS Stream 9 @@ -306758,7 +306774,7 @@ which the system will be deployed as closely as possible. - + Debian @@ -306772,7 +306788,7 @@ which the system will be deployed as closely as possible. - + Installed operating system is Fedora @@ -306792,7 +306808,7 @@ which the system will be deployed as closely as possible. - + @@ -306805,7 +306821,7 @@ which the system will be deployed as closely as possible. - + Oracle Linux 7 @@ -306816,14 +306832,14 @@ which the system will be deployed as closely as possible. - + - + Oracle Linux 8 @@ -306834,14 +306850,14 @@ which the system will be deployed as closely as possible. - + - + Oracle Linux 9 @@ -306852,14 +306868,14 @@ which the system will be deployed as closely as possible. - + - + OpenEmbedded @@ -306874,7 +306890,7 @@ which the system will be deployed as closely as possible. - + openSUSE @@ -306888,7 +306904,7 @@ which the system will be deployed as closely as possible. - + Installed operating system is part of the Unix family @@ -306897,11 +306913,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is part of the Unix OS family - + - + Poky @@ -306916,7 +306932,7 @@ which the system will be deployed as closely as possible. - + Red Hat Enterprise Linux CoreOS @@ -306927,14 +306943,14 @@ which the system will be deployed as closely as possible. - + - + Red Hat Enterprise Linux CoreOS RHEL9 Based @@ -306945,11 +306961,11 @@ which the system will be deployed as closely as possible. - + - + @@ -306962,7 +306978,7 @@ which the system will be deployed as closely as possible. - + Red Hat Enterprise Linux 7 @@ -306973,21 +306989,21 @@ which the system will be deployed as closely as possible. - + - + - + Red Hat Enterprise Linux 8 @@ -306998,18 +307014,18 @@ which the system will be deployed as closely as possible. - + - + - + Red Hat Enterprise Linux 8.0 @@ -307019,11 +307035,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.0 - + - + Red Hat Enterprise Linux 8.1 @@ -307033,11 +307049,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.1 - + - + Red Hat Enterprise Linux 8.2 @@ -307047,11 +307063,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.2 - + - + Red Hat Enterprise Linux 8.3 @@ -307061,11 +307077,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.3 - + - + Red Hat Enterprise Linux 8.4 @@ -307075,11 +307091,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.4 - + - + Red Hat Enterprise Linux 8.5 @@ -307089,11 +307105,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.5 - + - + Red Hat Enterprise Linux 8.6 @@ -307103,11 +307119,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.6 - + - + Red Hat Enterprise Linux 8.7 @@ -307117,11 +307133,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.7 - + - + Red Hat Enterprise Linux 8.8 @@ -307131,11 +307147,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.8 - + - + Red Hat Enterprise Linux 8.9 @@ -307145,11 +307161,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.9 - + - + Red Hat Enterprise Linux 8.10 @@ -307159,11 +307175,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.10 - + - + Red Hat Enterprise Linux 9 @@ -307174,18 +307190,18 @@ which the system will be deployed as closely as possible. - + - + - + Red Hat Virtualization 4 @@ -307201,7 +307217,7 @@ which the system will be deployed as closely as possible. - + Scientific Linux 7 @@ -307217,7 +307233,7 @@ which the system will be deployed as closely as possible. - + SUSE Linux Enterprise 12 @@ -307229,7 +307245,7 @@ which the system will be deployed as closely as possible. - + @@ -307238,7 +307254,7 @@ which the system will be deployed as closely as possible. - + SUSE Linux Enterprise 15 @@ -307250,7 +307266,7 @@ which the system will be deployed as closely as possible. - + @@ -307261,7 +307277,7 @@ which the system will be deployed as closely as possible. - + Ubuntu @@ -307276,7 +307292,7 @@ which the system will be deployed as closely as possible. - + Ubuntu 16.04 LTS @@ -307291,7 +307307,7 @@ which the system will be deployed as closely as possible. - + Ubuntu 18.04 LTS @@ -307306,7 +307322,7 @@ which the system will be deployed as closely as possible. - + Ubuntu 20.04 LTS @@ -307321,35 +307337,35 @@ which the system will be deployed as closely as possible. - + System uses zIPL Red Hat Enterprise Linux 8 - Checks if system uses zIPL bootloader. + Checks if system uses zIPL bootloader. - + - + Check if the environment is a OSBuild pipeline Red Hat Enterprise Linux 8 - Check the value of environment variable container. + Check the value of environment variable container. - + - + No CD/DVD drive is configured to automount in /etc/fstab @@ -307359,11 +307375,11 @@ which the system will be deployed as closely as possible. - - + + - + Device Files for Removable Media Partitions Does Not Exist on the System @@ -307373,11 +307389,11 @@ which the system will be deployed as closely as possible. - - + + - + SSHD is not required to be installed or requirement not set @@ -307391,7 +307407,7 @@ which the system will be deployed as closely as possible. - + SSHD is required to be installed or requirement not set @@ -307405,7 +307421,7 @@ which the system will be deployed as closely as possible. - + It doesn't matter if sshd is installed or not @@ -307418,7 +307434,7 @@ which the system will be deployed as closely as possible. - + OpenSSH Server is 7.4 or newer @@ -307431,7 +307447,7 @@ which the system will be deployed as closely as possible. - + Kernel Runtime Parameter IPv6 Check @@ -307447,7 +307463,7 @@ which the system will be deployed as closely as possible. - + Test for 64-bit Architecture @@ -307463,7 +307479,7 @@ which the system will be deployed as closely as possible. - + Test for aarch_64 Architecture @@ -307472,11 +307488,11 @@ which the system will be deployed as closely as possible.Generic test for aarch_64 architecture to be used by other tests - + - + Test for PPC and PPCLE Architecture @@ -307490,7 +307506,7 @@ which the system will be deployed as closely as possible. - + Test for s390_64 Architecture @@ -307499,11 +307515,11 @@ which the system will be deployed as closely as possible.Generic test for s390_64 architecture to be used by other tests - + - + Test for x86 Architecture @@ -307512,11 +307528,11 @@ which the system will be deployed as closely as possible.Generic test for x86 architecture to be used by other tests - + - + Test for x86_64 Architecture @@ -307525,11 +307541,11 @@ which the system will be deployed as closely as possible.Generic test for x86_64 architecture to be used by other tests - + - + @@ -307542,7 +307558,7 @@ which the system will be deployed as closely as possible. - + Check that file storing USBGuard rules exists and is not empty @@ -307555,7 +307571,7 @@ which the system will be deployed as closely as possible. - + Value of 'var_accounts_user_umask' variable represented as octal number @@ -307568,7 +307584,7 @@ which the system will be deployed as closely as possible. - + Value of 'var_removable_partition' variable is set to '/dev/cdrom' @@ -307578,11 +307594,11 @@ which the system will be deployed as closely as possible. - - + + - + Value of 'var_umask_for_daemons' variable represented as octal number @@ -307597,1173 +307613,1173 @@ which the system will be deployed as closely as possible. - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -308772,9300 +308788,9300 @@ which the system will be deployed as closely as possible. - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -318091,45 +318107,45 @@ which the system will be deployed as closely as possible.^\s*permissive\s*=\s*(\d+) 1 - + /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_enable[\s]*=[\s]*YES$ 1 - + /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_std_format[\s]*=[\s]*NO$ 1 - + /etc/vsftpd/vsftpd.conf ^[\s]*log_ftp_protocol[\s]*=[\s]*YES$ 1 - + /etc/vsftpd/vsftpd.conf ^[\s]*banner_file=/etc/issue[\s]*$ 1 - + /etc/httpd/conf - + /var/log/httpd - + /etc/httpd/conf.d/ ^.*$ - + /etc/httpd/conf ^.*$ - + /etc/httpd/conf.modules.d/ ^.*$ @@ -318184,7 +318200,7 @@ which the system will be deployed as closely as possible.^(?i)postmaster\s*:\s*(.+)$ 1 - + /etc/postfix/main.cf ^[\s]*inet_interfaces[\s]*=[\s]*(.*)[\s]*$ 1 @@ -318199,7 +318215,7 @@ which the system will be deployed as closely as possible.^[ \t]*smtpd_client_restrictions = (.+?)[ \t]*(?:$|#) 1 - + ^/etc/postfix/main.cf @@ -318263,50 +318279,50 @@ which the system will be deployed as closely as possible.^\s*OPTIONS=.*[\s'"]-u(?!\s*chrony\b).* 0 - + ^/etc/chrony\.(conf|d/.+\.conf)$ ^[\s]*server.*$ 1 - + ^/etc/chrony\.(conf|d/.+\.conf)$ ^[\s]+pool.*$ 1 - + ^/etc/chrony\.(conf|d/.+\.conf)$ ^[\s]*(?:server|pool)[\s]+.+$ 1 - + /etc/ntp.conf ^([\s]*server[\s]+.+$){2,}$ 1 - + /etc/ntp.conf ^[\s]*server[\s]+.+$ 1 - + / shosts.equiv - + /root ^\.rhosts$ - + /home ^\.rhosts$ - + /etc ^hosts\.equiv$ - + / .shosts @@ -318361,7 +318377,7 @@ which the system will be deployed as closely as possible.^[\s]*(com2se|rocommunity|rwcommunity) 1 - + /etc/ssh .*_key$ oval:ssg-exclude_symlinks__sshd_private_key:ste:1 @@ -318426,7 +318442,7 @@ which the system will be deployed as closely as possible. oval:ssg-var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count:var:1 - + /etc/sysconfig/network-scripts ^ifcfg-(?!lo).* ^ZONE=(.*)$ @@ -318615,7 +318631,7 @@ which the system will be deployed as closely as possible.^[\s]*cache_credentials\s*=\s*(\w+)\s*(?:#.*)?$ 1 - + ^/etc/sssd/(sssd|conf\.d/.*)\.conf$ ^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*user[ \t]*=[ \t]*(\S*) 1 @@ -318645,7 +318661,7 @@ which the system will be deployed as closely as possible.^[ \t]*AuditBackend=(.+?)[ \t]*(?:$|#) 1 - + ^/etc/usbguard/usbguard-daemon.conf @@ -318657,22 +318673,22 @@ which the system will be deployed as closely as possible. xorg-x11-server-Xwayland - + /etc/systemd/system/default.target - + /etc/pam.d/fingerprint-auth - + /etc/pam.d/password-auth - + /etc/pam.d/postlogin - + /etc/pam.d/smartcard-auth - + /etc/pam.d/system-auth @@ -318737,24 +318753,24 @@ which the system will be deployed as closely as possible.^\s*(?:auth.*pam_faillock\.so.*)?dir\s*=\s*(\S+) 1 - + oval:ssg-var_account_password_selinux_faillock_dir_collector:var:1 - + /etc/pam.d/system-auth 1 - + /etc/pam.d/password-auth 1 - + /etc/security/faillock.conf ^\s*audit 1 @@ -318809,124 +318825,124 @@ which the system will be deployed as closely as possible.^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ 1 - + /etc/pam.d/system-auth 1 - + /etc/pam.d/password-auth 1 - + /etc/security/faillock.conf ^\s*audit 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 - + /etc/pam.d/system-auth 1 oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1 - + /etc/pam.d/password-auth 1 oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1 - + /etc/pam.d/system-auth 1 @@ -318937,147 +318953,147 @@ which the system will be deployed as closely as possible. oval:ssg-var_faillock_dir_set_both_preauth_authfail_password_auth:var:1 - + /etc/security/faillock.conf 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 - + /etc/pam.d/system-auth 1 - + /etc/pam.d/password-auth 1 - + /etc/security/faillock.conf ^\s*silent 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 @@ -319107,7 +319123,7 @@ which the system will be deployed as closely as possible.^[\s]*retry[\s]*=[\s]*(\d+)(?:[\s]|$) 1 - + /etc/libuser.conf ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ 1 @@ -319121,12 +319137,12 @@ which the system will be deployed as closely as possible. oval:ssg-variable_last_encrypt_method_instance_value:var:1 - + /etc/pam.d/password-auth ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 - + /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 @@ -319156,7 +319172,7 @@ which the system will be deployed as closely as possible.^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ 1 - + /etc/systemd/system/ctrl-alt-del.target @@ -319174,7 +319190,7 @@ which the system will be deployed as closely as possible.^\s*\[Login\].*(?:\n\s*[^[\s].*)*\n^\s*StopIdleSessionSec[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 - + ^/etc/systemd/logind.conf @@ -319187,12 +319203,12 @@ which the system will be deployed as closely as possible.^Requires=.*emergency\.service 1 - + /etc/systemd/system ^emergency.service$ - + /etc/systemd/system ^emergency.target$ @@ -319391,7 +319407,7 @@ which the system will be deployed as closely as possible.^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ 1 - + oval:ssg-var_password_pam_unix_rounds:var:1 @@ -319399,7 +319415,7 @@ which the system will be deployed as closely as possible.^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ 1 - + oval:ssg-var_password_pam_unix_rounds:var:1 @@ -319432,22 +319448,22 @@ which the system will be deployed as closely as possible. \.forward$ - + /etc/group ^\+.*$ 1 - + /etc/passwd ^\+.*$ 1 - + /etc/shadow ^\+.*$ 1 - + /home ^\.netrc$ @@ -319462,7 +319478,7 @@ which the system will be deployed as closely as possible.^root:.+:\d+:(\d+).+ 1 - + /etc/group 1 @@ -319509,22 +319525,22 @@ which the system will be deployed as closely as possible.^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt|\/bin\/false|\/usr\/bin\/false).*$ 1 - + /etc/securetty ^ttyS[0-9]+$ 1 - + /etc/securetty ^vc/[0-9]+$ 1 - + /etc/pam.d/su ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ 1 - + /etc/pam.d/su ^\s*auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)[^#]*\bgroup=([_a-z][-0-9_a-z]*) 1 @@ -319534,7 +319550,7 @@ which the system will be deployed as closely as possible.^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:#.*)?$ 1 - + /etc/login.defs ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) 1 @@ -319872,7 +319888,7 @@ which the system will be deployed as closely as possible. PATH - + oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 @@ -319882,7 +319898,7 @@ which the system will be deployed as closely as possible. PATH - + /etc/bashrc ^[\s]*umask[\s]+([^#\s]*) 1 @@ -319890,7 +319906,7 @@ which the system will be deployed as closely as possible. oval:ssg-var_etc_bashrc_umask_as_number:var:1 - + /etc/csh.cshrc ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 @@ -319898,7 +319914,7 @@ which the system will be deployed as closely as possible. oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1 - + /etc/login.defs ^[\s]*UMASK[\s]+([^#\s]*) 1 @@ -319925,7 +319941,7 @@ which the system will be deployed as closely as possible.1 oval:ssg-state_object_accounts_umask_interactive_users_objects_users_ignored:ste:1 - + ^\..* ^[\s]*umask\s* @@ -320222,92 +320238,92 @@ which the system will be deployed as closely as possible. 1 - + /var/log/audit oval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1 - + /var/log/audit oval:ssg-state_group_owner_not_root_var_log_audit_directories-non_root:ste:1 - + oval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1 - + - + oval:ssg-state_owner_not_root_var_log_audit_directories:ste:1 - + /var/log/audit oval:ssg-state_owner_not_root_var_log_audit_directories:ste:1 - + oval:ssg-state_not_mode_0700:ste:1 - + /var/log/audit oval:ssg-state_not_mode_0700:ste:1 - + oval:ssg-state_group_owner_not_root_var_log_audit:ste:1 - + /var/log/audit/audit.log oval:ssg-state_group_owner_not_root_var_log_audit:ste:1 - + /var/log/audit oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 - + /var/log/audit ^.*$ oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 - + /var/log/audit oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 - + /var/log/audit ^.*$ oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 - + oval:ssg-state_owner_not_root_var_log_audit:ste:1 - + /var/log/audit/audit.log oval:ssg-state_owner_not_root_var_log_audit:ste:1 - + oval:ssg-state_not_mode_0600:ste:1 - + /var/log/audit/audit.log oval:ssg-state_not_mode_0600:ste:1 @@ -320689,7 +320705,7 @@ which the system will be deployed as closely as possible.(?:.*\n)* 1 - + ^CONFIG_RANDOM_TRUST_CPU=(y|Y)$ @@ -320763,13 +320779,13 @@ which the system will be deployed as closely as possible.^\s*image\s*=.*$ 1 - + /boot/bootmap - + /etc/zipl.conf - + ^/boot/loader/entries/.*\.conf$ @@ -320811,34 +320827,34 @@ which the system will be deployed as closely as possible.^[\s]*cron\.\*[\s]+/var/log/cron\s*(?:#.*)?$ 1 - + /etc/rsyslog.conf ^\$ActionSendStreamDriverAuthMode x509/name$ 1 - + /etc/rsyslog.d ^.*conf$ ^\$ActionSendStreamDriverAuthMode x509/name$ 1 - + /etc/rsyslog.conf ^\$ActionSendStreamDriverMode 1$ 1 - + /etc/rsyslog.d ^.*conf$ ^\$ActionSendStreamDriverMode 1$ 1 - + /etc/rsyslog.conf ^\$DefaultNetstreamDriver gtls$ 1 - + /etc/rsyslog.d ^.*conf$ ^\$DefaultNetstreamDriver gtls$ @@ -320961,24 +320977,19 @@ which the system will be deployed as closely as possible.^.*$ oval:ssg-state_promisc:ste:1 - - /etc/firewalld/firewalld.conf - ^DefaultZone=drop$ - 1 - - + /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_DEFAULTGW=.+$ 1 - + /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_PRIVACY=rfc3041$ 1 - + /etc/sysconfig/network-scripts ifcfg-.* ^IPV6ADDR=.+$ @@ -320990,12 +321001,12 @@ which the system will be deployed as closely as possible.^\s*options\s+ipv6\s+.*disable=1.*$ 1 - + /etc/netconfig ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ 1 - + /etc/netconfig ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ 1 @@ -321009,29 +321020,29 @@ which the system will be deployed as closely as possible. oval:ssg-state_uid_is_not_root_and_world_writable:ste:1 - + / oval:ssg-state_world_writable_and_not_sticky:ste:1 - + / oval:ssg-state_uid_is_user_and_world_writable:ste:1 - + / oval:ssg-state_gid_is_user_and_world_writable:ste:1 - + /boot ^System\.map.*$ - + / ^.*$ @@ -321047,13 +321058,13 @@ which the system will be deployed as closely as possible..* - + / ^.*$ oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1 - + / ^.*$ @@ -321069,13 +321080,13 @@ which the system will be deployed as closely as possible..* - + / ^.*$ oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1 - + / ^.*$ @@ -321084,7 +321095,7 @@ which the system will be deployed as closely as possible.oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1 - + / .* @@ -321098,28 +321109,28 @@ which the system will be deployed as closely as possible. .* - + / .* oval:ssg-file_permissions_unowned_userid_list_match:ste:1 - + ^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin ^.*$ oval:ssg-state_groupowner_system_commands_dirs_not_root_or_system_account:ste:1 - + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec oval:ssg-state_owner_binaries_not_root:ste:1 - + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_owner_binaries_not_root:ste:1 - + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 @@ -321134,7 +321145,7 @@ which the system will be deployed as closely as possible.^/\w.*$ oval:ssg-state_local_nodev:ste:1 - + /etc/fstab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 @@ -321142,7 +321153,7 @@ which the system will be deployed as closely as possible. ^/var/tmp$ - + /etc/mtab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 @@ -321189,7 +321200,7 @@ which the system will be deployed as closely as possible.^[\s]*\*[\s]+(?:hard|-)[\s]+core 1 - + /etc/init.d/functions ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 @@ -321249,21 +321260,21 @@ which the system will be deployed as closely as possible.^.*(selinux|enforcing)=0.*$ 1 - + /dev ^.*$ oval:ssg-state_block_or_char_device_file:ste:1 - + oval:ssg-state_selinux_dev_device_t:ste:1 - + oval:ssg-state_selinux_dev_unlabeled_t:ste:1 - + /proc ^.*$ @@ -321297,22 +321308,22 @@ which the system will be deployed as closely as possible.^.*\.(.*)$ 1 - + /etc/dconf/db/gdm - + ^/etc/dconf/db/gdm.d/.* - + oval:ssg-var_dconf_gdm_db_modified_time:var:1 - + /etc/dconf/db/local - + ^/etc/dconf/db/local.d/.* - + oval:ssg-var_dconf_local_db_modified_time:var:1 @@ -321383,7 +321394,7 @@ which the system will be deployed as closely as possible.^\s*\[xdmcp\].*(?:\n\s*[^[\s].*)*\n^\s*Enable[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 - + ^/etc/gdm/custom.conf @@ -321631,13 +321642,13 @@ which the system will be deployed as closely as possible.^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ 1 - + /etc/crypto-policies/state/current - + /etc/crypto-policies/config - + oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 @@ -321661,10 +321672,10 @@ which the system will be deployed as closely as possible. oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 - + /etc/krb5.conf.d/crypto-policies - + /etc/crypto-policies/back-ends/krb5.config @@ -321784,11 +321795,11 @@ which the system will be deployed as closely as possible. MFEcma - + /opt/NAI/LinuxShield/engine/dat ^.*\.dat$ - + oval:ssg-variable_mcafee_dat_files_mtime:var:1 @@ -321821,7 +321832,7 @@ which the system will be deployed as closely as possible.fips=1 1 - + /etc/system-fips @@ -321875,12 +321886,12 @@ which the system will be deployed as closely as possible.^/usr/sbin/augenrules\s+([^\n]+)$ 1 - + /etc/crontab ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ 1 - + /etc/cron.d ^.*$ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ @@ -321891,23 +321902,23 @@ which the system will be deployed as closely as possible.^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ 1 - + ^/etc/cron.(daily|weekly)$ ^.*$ ^[^#]*\/usr\/sbin\/aide\s+\-\-check\s*$ 1 - + /etc/crontab ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 - + /var/spool/cron/root ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 - + ^/etc/cron.(d|daily|weekly|monthly)$ ^.*$ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ @@ -321973,10 +321984,10 @@ which the system will be deployed as closely as possible..* oval:ssg-state_files_fail_mode:ste:1 - + /usr/bin/sudo - + /etc/group 1 @@ -322110,7 +322121,7 @@ which the system will be deployed as closely as possible.^Defaults runaspw$\r?\n 1 - + /etc/yum.conf ^\s*clean_requirements_on_remove\s*=\s*(1|True|yes)\s*$ 1 @@ -322120,7 +322131,7 @@ which the system will be deployed as closely as possible.^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*apply_updates[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 - + ^/etc/dnf/automatic.conf @@ -322128,15 +322139,15 @@ which the system will be deployed as closely as possible.^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 - + ^/etc/dnf/automatic.conf - + /etc/yum.conf ^\s*gpgcheck\s*=\s*1\s*$ 1 - + /etc/yum.conf ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 @@ -322147,7 +322158,7 @@ which the system will be deployed as closely as possible.^\s*gpgcheck\s*=\s*0\s*$ 1 - + /etc/yum.conf ^\s*repo_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 @@ -325238,168 +325249,168 @@ which the system will be deployed as closely as possible.^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$ 1 - + /lib oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_0:ste:1 - + /lib64 oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_1:ste:1 - + /usr/lib oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_2:ste:1 - + /usr/lib64 oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_3:ste:1 - + /bin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_0:ste:1 - + /sbin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_1:ste:1 - + /usr/bin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_2:ste:1 - + /usr/sbin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_3:ste:1 - + /usr/local/bin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_4:ste:1 - + /usr/local/sbin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_5:ste:1 - + /lib oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_0:ste:1 - + /lib64 oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_1:ste:1 - + /usr/lib oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_2:ste:1 - + /usr/lib64 oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_3:ste:1 - + /bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_0_mode_0755or_stricter_:ste:1 - + /sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_1_mode_0755or_stricter_:ste:1 - + /usr/bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_2_mode_0755or_stricter_:ste:1 - + /usr/sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_3_mode_0755or_stricter_:ste:1 - + /usr/local/bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_4_mode_0755or_stricter_:ste:1 - + /usr/local/sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_5_mode_0755or_stricter_:ste:1 - + /lib oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_library_dirs_0_mode_7755or_stricter_:ste:1 - + /lib64 oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_library_dirs_1_mode_7755or_stricter_:ste:1 - + /usr/lib oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_library_dirs_2_mode_7755or_stricter_:ste:1 - + /usr/lib64 @@ -325411,311 +325422,311 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_disable_host_auth:obj:1 - + /etc/at.deny - + /sbin/auditctl oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_0:ste:1 - + /sbin/aureport oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_1:ste:1 - + /sbin/ausearch oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_2:ste:1 - + /sbin/autrace oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_3:ste:1 - + /sbin/auditd oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_4:ste:1 - + /sbin/rsyslogd oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_5:ste:1 - + /sbin/augenrules oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_6:ste:1 - + /sbin/auditctl oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_0:ste:1 - + /sbin/aureport oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_1:ste:1 - + /sbin/ausearch oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_2:ste:1 - + /sbin/autrace oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_3:ste:1 - + /sbin/auditd oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_4:ste:1 - + /sbin/rsyslogd oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_5:ste:1 - + /sbin/augenrules oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_6:ste:1 - + /sbin/auditctl oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_0_mode_0755or_stricter_:ste:1 - + /sbin/aureport oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_1_mode_0755or_stricter_:ste:1 - + /sbin/ausearch oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_2_mode_0755or_stricter_:ste:1 - + /sbin/autrace oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_3_mode_0755or_stricter_:ste:1 - + /sbin/auditd oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_4_mode_0755or_stricter_:ste:1 - + /sbin/rsyslogd oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_5_mode_0755or_stricter_:ste:1 - + /sbin/augenrules oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_6_mode_0755or_stricter_:ste:1 - + /etc/cron.deny - + /etc/at.allow oval:ssg-symlink_file_groupowner_at_allow_uid_0:ste:1 oval:ssg-state_file_groupowner_at_allow_gid_0_0:ste:1 - + /etc/group- oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1 oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1 - + /etc/gshadow- oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1 oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1 - + /etc/passwd- oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1 oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1 - + /etc/shadow- oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1 oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1 - + /etc/cron.allow oval:ssg-symlink_file_groupowner_cron_allow_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_allow_gid_0_0:ste:1 - + /etc/cron.d oval:ssg-symlink_file_groupowner_cron_d_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_d_gid_0_0:ste:1 - + /etc/cron.daily oval:ssg-symlink_file_groupowner_cron_daily_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_daily_gid_0_0:ste:1 - + /etc/cron.hourly oval:ssg-symlink_file_groupowner_cron_hourly_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_hourly_gid_0_0:ste:1 - + /etc/cron.monthly oval:ssg-symlink_file_groupowner_cron_monthly_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_monthly_gid_0_0:ste:1 - + /etc/cron.weekly oval:ssg-symlink_file_groupowner_cron_weekly_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_weekly_gid_0_0:ste:1 - + /etc/crontab oval:ssg-symlink_file_groupowner_crontab_uid_0:ste:1 oval:ssg-state_file_groupowner_crontab_gid_0_0:ste:1 - + /boot/efi/EFI/redhat/grub.cfg oval:ssg-symlink_file_groupowner_efi_grub2_cfg_uid_0:ste:1 oval:ssg-state_file_groupowner_efi_grub2_cfg_gid_0_0:ste:1 - + /boot/efi/EFI/redhat/user.cfg oval:ssg-symlink_file_groupowner_efi_user_cfg_uid_0:ste:1 oval:ssg-state_file_groupowner_efi_user_cfg_gid_0_0:ste:1 - + /etc/group oval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1 - + /etc/gshadow oval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1 - + /etc/issue oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1 - + /etc/issue.net oval:ssg-symlink_file_groupowner_etc_issue_net_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_issue_net_gid_0_0:ste:1 - + /etc/motd oval:ssg-symlink_file_groupowner_etc_motd_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_motd_gid_0_0:ste:1 - + /etc/passwd oval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1 - + /etc/shadow oval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1 - + /boot/grub2/grub.cfg oval:ssg-symlink_file_groupowner_grub2_cfg_uid_0:ste:1 oval:ssg-state_file_groupowner_grub2_cfg_gid_0_0:ste:1 - + /etc/ssh/sshd_config oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1 oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1 - + /boot/grub2/user.cfg oval:ssg-symlink_file_groupowner_user_cfg_uid_0:ste:1 oval:ssg-state_file_groupowner_user_cfg_gid_0_0:ste:1 - + /var/log oval:ssg-symlink_file_groupowner_var_log_uid_0:ste:1 oval:ssg-state_file_groupowner_var_log_gid_0_0:ste:1 - + /var/log/messages oval:ssg-symlink_file_groupowner_var_log_messages_uid_0:ste:1 oval:ssg-state_file_groupowner_var_log_messages_gid_0_0:ste:1 - + /var/log/syslog oval:ssg-symlink_file_groupowner_var_log_syslog_uid_4:ste:1 oval:ssg-state_file_groupowner_var_log_syslog_gid_4_0:ste:1 - + /sbin/auditctl oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_0:ste:1 - + /sbin/aureport oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_1:ste:1 - + /sbin/ausearch oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_2:ste:1 - + /sbin/autrace oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_3:ste:1 - + /sbin/auditd oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_4:ste:1 - + /sbin/audispd oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_5:ste:1 - + /sbin/augenrules oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_6:ste:1 - + /etc/audit ^audit(\.rules|d\.conf)$ oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_configuration_gid_0_0:ste:1 - + /etc/audit/rules.d ^.*\.rules$ oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_configuration_gid_0_1:ste:1 - + /etc/ssh ^.*_key$ oval:ssg-symlink_file_groupownership_sshd_private_key_uid_ssh_keys:ste:1 @@ -325726,464 +325737,464 @@ which the system will be deployed as closely as possible.^ssh_keys:\w+:(\w+):.* 1 - + /etc/ssh ^.*\.pub$ oval:ssg-symlink_file_groupownership_sshd_pub_key_uid_0:ste:1 oval:ssg-state_file_groupownership_sshd_pub_key_gid_0_0:ste:1 - + /etc/group- oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1 oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1 - + /etc/gshadow- oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1 oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1 - + /etc/passwd- oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1 oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1 - + /etc/shadow- oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1 oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1 - + /etc/cron.allow oval:ssg-symlink_file_owner_cron_allow_uid_0:ste:1 oval:ssg-state_file_owner_cron_allow_uid_0_0:ste:1 - + /etc/cron.d oval:ssg-symlink_file_owner_cron_d_uid_0:ste:1 oval:ssg-state_file_owner_cron_d_uid_0_0:ste:1 - + /etc/cron.daily oval:ssg-symlink_file_owner_cron_daily_uid_0:ste:1 oval:ssg-state_file_owner_cron_daily_uid_0_0:ste:1 - + /etc/cron.hourly oval:ssg-symlink_file_owner_cron_hourly_uid_0:ste:1 oval:ssg-state_file_owner_cron_hourly_uid_0_0:ste:1 - + /etc/cron.monthly oval:ssg-symlink_file_owner_cron_monthly_uid_0:ste:1 oval:ssg-state_file_owner_cron_monthly_uid_0_0:ste:1 - + /etc/cron.weekly oval:ssg-symlink_file_owner_cron_weekly_uid_0:ste:1 oval:ssg-state_file_owner_cron_weekly_uid_0_0:ste:1 - + /etc/crontab oval:ssg-symlink_file_owner_crontab_uid_0:ste:1 oval:ssg-state_file_owner_crontab_uid_0_0:ste:1 - + /boot/efi/EFI/redhat/grub.cfg oval:ssg-symlink_file_owner_efi_grub2_cfg_uid_0:ste:1 oval:ssg-state_file_owner_efi_grub2_cfg_uid_0_0:ste:1 - + /boot/efi/EFI/redhat/user.cfg oval:ssg-symlink_file_owner_efi_user_cfg_uid_0:ste:1 oval:ssg-state_file_owner_efi_user_cfg_uid_0_0:ste:1 - + /etc/group oval:ssg-symlink_file_owner_etc_group_uid_0:ste:1 oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1 - + /etc/gshadow oval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1 oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1 - + /etc/issue oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1 oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1 - + /etc/issue.net oval:ssg-symlink_file_owner_etc_issue_net_uid_0:ste:1 oval:ssg-state_file_owner_etc_issue_net_uid_0_0:ste:1 - + /etc/motd oval:ssg-symlink_file_owner_etc_motd_uid_0:ste:1 oval:ssg-state_file_owner_etc_motd_uid_0_0:ste:1 - + /etc/passwd oval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1 oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1 - + /etc/shadow oval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1 oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1 - + /boot/grub2/grub.cfg oval:ssg-symlink_file_owner_grub2_cfg_uid_0:ste:1 oval:ssg-state_file_owner_grub2_cfg_uid_0_0:ste:1 - + /etc/ssh/sshd_config oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1 oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1 - + /boot/grub2/user.cfg oval:ssg-symlink_file_owner_user_cfg_uid_0:ste:1 oval:ssg-state_file_owner_user_cfg_uid_0_0:ste:1 - + /var/log oval:ssg-symlink_file_owner_var_log_uid_0:ste:1 oval:ssg-state_file_owner_var_log_uid_0_0:ste:1 - + /var/log/messages oval:ssg-symlink_file_owner_var_log_messages_uid_0:ste:1 oval:ssg-state_file_owner_var_log_messages_uid_0_0:ste:1 - + /var/log/syslog oval:ssg-symlink_file_owner_var_log_syslog_uid_104:ste:1 oval:ssg-state_file_owner_var_log_syslog_uid_104_0:ste:1 - + /sbin/auditctl oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_0:ste:1 - + /sbin/aureport oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_1:ste:1 - + /sbin/ausearch oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_2:ste:1 - + /sbin/autrace oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_3:ste:1 - + /sbin/auditd oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_4:ste:1 - + /sbin/audispd oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_5:ste:1 - + /sbin/augenrules oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_6:ste:1 - + /etc/audit ^audit(\.rules|d\.conf)$ oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1 oval:ssg-state_file_ownership_audit_configuration_uid_0_0:ste:1 - + /etc/audit/rules.d ^.*\.rules$ oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1 oval:ssg-state_file_ownership_audit_configuration_uid_0_1:ste:1 - + /lib ^.*$ oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1 - + /lib64 ^.*$ oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1 - + /usr/lib ^.*$ oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1 - + /usr/lib64 ^.*$ oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1 - + /etc/ssh ^.*_key$ oval:ssg-symlink_file_ownership_sshd_private_key_uid_0:ste:1 oval:ssg-state_file_ownership_sshd_private_key_uid_0_0:ste:1 - + /etc/ssh ^.*\.pub$ oval:ssg-symlink_file_ownership_sshd_pub_key_uid_0:ste:1 oval:ssg-state_file_ownership_sshd_pub_key_uid_0_0:ste:1 - + /etc/at.allow oval:ssg-exclude_symlinks__at_allow:ste:1 oval:ssg-state_file_permissions_at_allow_0_mode_0600or_stricter_:ste:1 - + /sbin/auditctl oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_0_mode_0755or_stricter_:ste:1 - + /sbin/aureport oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_1_mode_0755or_stricter_:ste:1 - + /sbin/ausearch oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_2_mode_0755or_stricter_:ste:1 - + /sbin/autrace oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_3_mode_0755or_stricter_:ste:1 - + /sbin/auditd oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_4_mode_0755or_stricter_:ste:1 - + /sbin/audispd oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_5_mode_0755or_stricter_:ste:1 - + /sbin/augenrules oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_6_mode_0755or_stricter_:ste:1 - + /etc/audit .*audit\(\.rules\|d\.conf\)$ oval:ssg-exclude_symlinks__audit_configuration:ste:1 oval:ssg-state_file_permissions_audit_configuration_0_mode_0640or_stricter_:ste:1 - + /etc/audit/rules.d .*\.rules$ oval:ssg-exclude_symlinks__audit_configuration:ste:1 oval:ssg-state_file_permissions_audit_configuration_1_mode_0640or_stricter_:ste:1 - + /etc/group- oval:ssg-exclude_symlinks__backup_etc_group:ste:1 oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1 - + /etc/gshadow- oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1 oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1 - + /etc/passwd- oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1 oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1 - + /etc/shadow- oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1 oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1 - + /etc/cron.allow oval:ssg-exclude_symlinks__cron_allow:ste:1 oval:ssg-state_file_permissions_cron_allow_0_mode_0600or_stricter_:ste:1 - + /etc/cron.d oval:ssg-exclude_symlinks__cron_d:ste:1 oval:ssg-state_file_permissions_cron_d_0_mode_0700or_stricter_:ste:1 - + /etc/cron.daily oval:ssg-exclude_symlinks__cron_daily:ste:1 oval:ssg-state_file_permissions_cron_daily_0_mode_0700or_stricter_:ste:1 - + /etc/cron.hourly oval:ssg-exclude_symlinks__cron_hourly:ste:1 oval:ssg-state_file_permissions_cron_hourly_0_mode_0700or_stricter_:ste:1 - + /etc/cron.monthly oval:ssg-exclude_symlinks__cron_monthly:ste:1 oval:ssg-state_file_permissions_cron_monthly_0_mode_0700or_stricter_:ste:1 - + /etc/cron.weekly oval:ssg-exclude_symlinks__cron_weekly:ste:1 oval:ssg-state_file_permissions_cron_weekly_0_mode_0700or_stricter_:ste:1 - + /etc/crontab oval:ssg-exclude_symlinks__crontab:ste:1 oval:ssg-state_file_permissions_crontab_0_mode_0600or_stricter_:ste:1 - + /boot/efi/EFI/redhat/grub.cfg oval:ssg-exclude_symlinks__efi_grub2_cfg:ste:1 oval:ssg-state_file_permissions_efi_grub2_cfg_0_mode_0700or_stricter_:ste:1 - + /boot/efi/EFI/redhat/user.cfg oval:ssg-exclude_symlinks__efi_user_cfg:ste:1 oval:ssg-state_file_permissions_efi_user_cfg_0_mode_0700or_stricter_:ste:1 - + /etc/audit/auditd.conf oval:ssg-exclude_symlinks__etc_audit_auditd:ste:1 oval:ssg-state_file_permissions_etc_audit_auditd_0_mode_0640or_stricter_:ste:1 - + /etc/audit/rules.d ^.*rules$ oval:ssg-exclude_symlinks__etc_audit_rulesd:ste:1 oval:ssg-state_file_permissions_etc_audit_rulesd_0_mode_0640or_stricter_:ste:1 - + /etc/group oval:ssg-exclude_symlinks__etc_group:ste:1 oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1 - + /etc/gshadow oval:ssg-exclude_symlinks__etc_gshadow:ste:1 oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1 - + /etc/issue oval:ssg-exclude_symlinks__etc_issue:ste:1 oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1 - + /etc/issue.net oval:ssg-exclude_symlinks__etc_issue_net:ste:1 oval:ssg-state_file_permissions_etc_issue_net_0_mode_0644or_stricter_:ste:1 - + /etc/motd oval:ssg-exclude_symlinks__etc_motd:ste:1 oval:ssg-state_file_permissions_etc_motd_0_mode_0644or_stricter_:ste:1 - + /etc/passwd oval:ssg-exclude_symlinks__etc_passwd:ste:1 oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1 - + /etc/shadow oval:ssg-exclude_symlinks__etc_shadow:ste:1 oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1 - + /boot/grub2/grub.cfg oval:ssg-exclude_symlinks__grub2_cfg:ste:1 oval:ssg-state_file_permissions_grub2_cfg_0_mode_0600or_stricter_:ste:1 - + /lib ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1 - + /lib64 ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1 - + /usr/lib ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1 - + /usr/lib64 ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1 - + /etc/ssh/sshd_config oval:ssg-exclude_symlinks__sshd_config:ste:1 oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1 - + /etc/ssh ^.*\.pub$ oval:ssg-exclude_symlinks__sshd_pub_key:ste:1 oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1 - + /boot/grub2/user.cfg oval:ssg-exclude_symlinks__user_cfg:ste:1 oval:ssg-state_file_permissions_user_cfg_0_mode_0600or_stricter_:ste:1 - + /var/log oval:ssg-exclude_symlinks__var_log:ste:1 oval:ssg-state_file_permissions_var_log_0_mode_0755or_stricter_:ste:1 - + /var/log/messages oval:ssg-exclude_symlinks__var_log_messages:ste:1 oval:ssg-state_file_permissions_var_log_messages_0_mode_0640or_stricter_:ste:1 - + /var/log/syslog oval:ssg-exclude_symlinks__var_log_syslog:ste:1 oval:ssg-state_file_permissions_var_log_syslog_0_mode_0640or_stricter_:ste:1 @@ -326559,7 +326570,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_acpi_custom_method_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326571,7 +326582,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_arm64_sw_ttbr0_pan_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326583,7 +326594,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_binfmt_misc_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326595,7 +326606,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_bug_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326607,7 +326618,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_bug_on_data_corruption_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326619,7 +326630,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_compat_brk_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326631,7 +326642,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_compat_vdso_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326643,7 +326654,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_credentials_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326655,7 +326666,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_fs_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326667,7 +326678,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_list_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326679,7 +326690,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_notifiers_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326691,7 +326702,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_sg_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326703,7 +326714,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_wx_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326715,7 +326726,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_default_mmap_min_addr_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326727,7 +326738,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_devkmem_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326739,7 +326750,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_fortify_source_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326751,7 +326762,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_gcc_plugin_latent_entropy_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326763,7 +326774,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_gcc_plugin_structleak_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326775,7 +326786,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_hardened_usercopy_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326787,7 +326798,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_hardened_usercopy_fallback_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326799,7 +326810,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_hibernation_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326811,7 +326822,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_ia32_emulation_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326823,7 +326834,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_ipv6_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326835,7 +326846,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_kexec_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326847,7 +326858,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_legacy_ptys_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326859,7 +326870,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_legacy_vsyscall_emulate_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326871,7 +326882,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_legacy_vsyscall_none_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326883,7 +326894,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_modify_ldt_syscall_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326895,7 +326906,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326907,7 +326918,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_all_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326919,7 +326930,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_force_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326931,7 +326942,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_hash_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326943,7 +326954,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_key_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326955,7 +326966,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_sha512_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326967,7 +326978,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_page_poisoning_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326979,7 +326990,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_page_poisoning_no_sanity_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326991,7 +327002,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_page_poisoning_zero_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327003,7 +327014,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_page_table_isolation_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327015,7 +327026,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_panic_on_oops_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327027,7 +327038,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_panic_timeout_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327039,7 +327050,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_proc_kcore_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327051,7 +327062,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_randomize_base_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327063,7 +327074,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_randomize_memory_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327075,7 +327086,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_refcount_full_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327087,7 +327098,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_retpoline_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327099,7 +327110,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_sched_stack_end_check_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327111,7 +327122,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_seccomp_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327123,7 +327134,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_seccomp_filter_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327135,7 +327146,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_security_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327147,7 +327158,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_security_dmesg_restrict_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327159,7 +327170,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_security_writable_hooks_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327171,7 +327182,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_security_yama_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327183,7 +327194,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_slab_freelist_hardened_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327195,7 +327206,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_slab_freelist_random_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327207,7 +327218,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_slab_merge_default_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327219,7 +327230,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_slub_debug_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327231,7 +327242,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_stackprotector_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327243,7 +327254,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_stackprotector_strong_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327255,7 +327266,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_strict_kernel_rwx_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327267,7 +327278,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_strict_module_rwx_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327279,7 +327290,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_syn_cookies_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327291,7 +327302,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_unmap_kernel_at_el0_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327303,7 +327314,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_vmap_stack_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327315,7 +327326,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_x86_vsyscall_emulation_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327583,106 +327594,106 @@ which the system will be deployed as closely as possible.^blacklist\s+vfat$ 1 - + /boot/efi - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot/efi[\s]+[\S]+[\s]+([\S]+) 1 - + /boot - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+) 1 - + /boot - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+) 1 - + /boot - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+) 1 - + /boot - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+) 1 - + /dev/shm - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 - + /dev/shm - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 - + /dev/shm - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 @@ -327757,146 +327768,146 @@ which the system will be deployed as closely as possible. 1 - + /opt - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/opt[\s]+[\S]+[\s]+([\S]+) 1 - + /proc - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/proc[\s]+[\S]+[\s]+([\S]+) 1 - + /srv - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/srv[\s]+[\S]+[\s]+([\S]+) 1 - + /tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log/audit - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log/audit - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log/audit - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 - + /var - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) 1 - + /var - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) 1 - + /var - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) 1 - + /var/tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /var/tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /var/tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 @@ -328303,28 +328314,28 @@ which the system will be deployed as closely as possible. /var/tmp - + /lib ^.*$ oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1 oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_0:ste:1 - + /lib64 ^.*$ oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1 oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_1:ste:1 - + /usr/lib ^.*$ oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1 oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_2:ste:1 - + /usr/lib64 ^.*$ @@ -329307,893 +329318,898 @@ which the system will be deployed as closely as possible. zoneminder_run_sudo - + ^abrtd\.(service|socket)$ ActiveState - + ^abrtd\.(service|socket)$ LoadState abrt - + ^acpid\.(service|socket)$ ActiveState - + ^acpid\.(service|socket)$ LoadState acpid - + ^atd\.(service|socket)$ ActiveState - + ^atd\.(service|socket)$ LoadState at - + multi-user.target - + multi-user.target - + ^auditd\.(socket|service)$ ActiveState audit - + ^autofs\.(service|socket)$ ActiveState - + ^autofs\.(service|socket)$ LoadState autofs - + ^avahi-daemon\.(service|socket)$ ActiveState - + ^avahi-daemon\.(service|socket)$ LoadState avahi - + ^bluetooth\.(service|socket)$ ActiveState - + ^bluetooth\.(service|socket)$ LoadState bluez - + ^certmonger\.(service|socket)$ ActiveState - + ^certmonger\.(service|socket)$ LoadState certmonger - + multi-user.target - + multi-user.target - + ^chronyd\.(socket|service)$ ActiveState chrony - + ^cockpit\.(service|socket)$ ActiveState - + ^cockpit\.(service|socket)$ LoadState cockpit - + ^cpupower\.(service|socket)$ ActiveState - + ^cpupower\.(service|socket)$ LoadState kernel-tools - + multi-user.target - + multi-user.target - + ^cron\.(socket|service)$ ActiveState cron - + multi-user.target - + multi-user.target - + ^crond\.(socket|service)$ ActiveState cronie - + ^cups\.(service|socket)$ ActiveState - + ^cups\.(service|socket)$ LoadState cups - + ^debug-shell\.(service|socket)$ ActiveState - + ^debug-shell\.(service|socket)$ LoadState systemd - + ^dhcpd\.(service|socket)$ ActiveState - + ^dhcpd\.(service|socket)$ LoadState dhcp-server - + ^dovecot\.(service|socket)$ ActiveState - + ^dovecot\.(service|socket)$ LoadState dovecot - + multi-user.target - + multi-user.target - + ^fapolicyd\.(socket|service)$ ActiveState fapolicyd - + multi-user.target - + multi-user.target - + ^firewalld\.(socket|service)$ ActiveState firewalld - + ^httpd\.(service|socket)$ ActiveState - + ^httpd\.(service|socket)$ LoadState httpd - + multi-user.target - + multi-user.target - + ^ip6tables\.(socket|service)$ ActiveState iptables-ipv6 - + multi-user.target - + multi-user.target - + ^iptables\.(socket|service)$ ActiveState iptables - + ^kdump\.(service|socket)$ ActiveState - + ^kdump\.(service|socket)$ LoadState kexec-tools - + ^mdmonitor\.(service|socket)$ ActiveState - + ^mdmonitor\.(service|socket)$ LoadState mdadm - + multi-user.target - + multi-user.target - + ^nails\.(socket|service)$ ActiveState nails - + ^named\.(service|socket)$ ActiveState - + ^named\.(service|socket)$ LoadState bind - + ^netconsole\.(service|socket)$ ActiveState - + ^netconsole\.(service|socket)$ LoadState netconsole - + ^netfs\.(service|socket)$ ActiveState - + ^netfs\.(service|socket)$ LoadState netfs - + ^nfs-server\.(service|socket)$ ActiveState - + ^nfs-server\.(service|socket)$ LoadState nfs-utils - + ^nfslock\.(service|socket)$ ActiveState - + ^nfslock\.(service|socket)$ LoadState nfs-utils - + ^nftables\.(service|socket)$ ActiveState - + ^nftables\.(service|socket)$ LoadState nftables - + multi-user.target - + multi-user.target - + ^nftables\.(socket|service)$ ActiveState nftables - + multi-user.target - + multi-user.target - + ^ntp\.(socket|service)$ ActiveState ntp - + multi-user.target - + multi-user.target - + ^ntpd\.(socket|service)$ ActiveState ntp - + ^ntpdate\.(service|socket)$ ActiveState - + ^ntpdate\.(service|socket)$ LoadState ntpdate - + ^oddjobd\.(service|socket)$ ActiveState - + ^oddjobd\.(service|socket)$ LoadState oddjob - + multi-user.target - + multi-user.target - + ^pcscd\.(socket|service)$ ActiveState pcsc-lite - + ^portreserve\.(service|socket)$ ActiveState - + ^portreserve\.(service|socket)$ LoadState portreserve - + multi-user.target - + multi-user.target - + ^postfix\.(socket|service)$ ActiveState postfix - + multi-user.target - + multi-user.target - + ^psacct\.(socket|service)$ ActiveState psacct - + ^qpidd\.(service|socket)$ ActiveState - + ^qpidd\.(service|socket)$ LoadState qpid-cpp-server - + ^quota_nld\.(service|socket)$ ActiveState - + ^quota_nld\.(service|socket)$ LoadState quota-nld - + ^rdisc\.(service|socket)$ ActiveState - + ^rdisc\.(service|socket)$ LoadState iputils - + ^rexec\.(service|socket)$ ActiveState - + ^rexec\.(service|socket)$ LoadState rsh-server - + ^rhnsd\.(service|socket)$ ActiveState - + ^rhnsd\.(service|socket)$ LoadState rhnsd - + ^rhsmcertd\.(service|socket)$ ActiveState - + ^rhsmcertd\.(service|socket)$ LoadState subscription-manager - + ^rlogin\.(service|socket)$ ActiveState - + ^rlogin\.(service|socket)$ LoadState rsh-server - + multi-user.target - + multi-user.target - + ^rngd\.(socket|service)$ ActiveState rng-tools - + ^rpcbind\.(service|socket)$ ActiveState - + ^rpcbind\.(service|socket)$ LoadState rpcbind - + ^rpcgssd\.(service|socket)$ ActiveState - + ^rpcgssd\.(service|socket)$ LoadState nfs-utils - + ^rpcidmapd\.(service|socket)$ ActiveState - + ^rpcidmapd\.(service|socket)$ LoadState nfs-utils - + ^rpcsvcgssd\.(service|socket)$ ActiveState - + ^rpcsvcgssd\.(service|socket)$ LoadState nfs-utils - + ^rsh\.(service|socket)$ ActiveState - + ^rsh\.(service|socket)$ LoadState rsh - + ^rsyncd\.(service|socket)$ ActiveState - + ^rsyncd\.(service|socket)$ LoadState rsync-daemon - + multi-user.target - + multi-user.target - + ^rsyslog\.(socket|service)$ ActiveState rsyslog - + ^saslauthd\.(service|socket)$ ActiveState - + ^saslauthd\.(service|socket)$ LoadState cyrus-sasl - + ^slapd\.(service|socket)$ ActiveState - + ^slapd\.(service|socket)$ LoadState openldap-servers - + ^smb\.(service|socket)$ ActiveState - + ^smb\.(service|socket)$ LoadState samba - + ^snmpd\.(service|socket)$ ActiveState - + ^snmpd\.(service|socket)$ LoadState net-snmp - + ^squid\.(service|socket)$ ActiveState - + ^squid\.(service|socket)$ LoadState squid - + ^sshd\.(service|socket)$ ActiveState - + ^sshd\.(service|socket)$ LoadState openssh-server - + multi-user.target - + multi-user.target - + ^sshd\.(socket|service)$ ActiveState openssh-server - + multi-user.target - + multi-user.target - + ^sssd\.(socket|service)$ ActiveState sssd - + ^syslog\.(service|socket)$ ActiveState - + ^syslog\.(service|socket)$ LoadState rsyslog - + multi-user.target - + multi-user.target - + ^syslog-ng\.(socket|service)$ ActiveState syslog-ng - + ^sysstat\.(service|socket)$ ActiveState - + ^sysstat\.(service|socket)$ LoadState sysstat - + ^systemd-coredump.socket$ LoadState - + multi-user.target - + multi-user.target - + ^systemd-journald\.(socket|service)$ ActiveState systemd - + ^telnet\.(service|socket)$ ActiveState - + ^telnet\.(service|socket)$ LoadState telnet-server - + ^tftp\.(service|socket)$ ActiveState - + ^tftp\.(service|socket)$ LoadState tftp-server - + multi-user.target - + multi-user.target - + ^ufw\.(socket|service)$ ActiveState ufw - + multi-user.target - + multi-user.target - + ^usbguard\.(socket|service)$ ActiveState usbguard - + ^vsftpd\.(service|socket)$ ActiveState - + ^vsftpd\.(service|socket)$ LoadState vsftpd - + ^xinetd\.(service|socket)$ ActiveState - + ^xinetd\.(service|socket)$ LoadState xinetd - + ^ypbind\.(service|socket)$ ActiveState - + ^ypbind\.(service|socket)$ LoadState ypbind - + ^ypserv\.(service|socket)$ ActiveState - + ^ypserv\.(service|socket)$ LoadState ypserv - + ^zebra\.(service|socket)$ ActiveState - + ^zebra\.(service|socket)$ LoadState quagga - + + /etc/firewalld/firewalld.conf + ^[\s]*DefaultZone=drop[\s]*$ + 1 + + ^systemd-journal-remote.socket$ LoadState @@ -330202,7 +330218,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_empty_passwords:obj:1 @@ -330212,7 +330228,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_gssapi_auth:obj:1 @@ -330222,7 +330238,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_kerb_auth:obj:1 @@ -330232,7 +330248,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_pubkey_auth:obj:1 @@ -330242,7 +330258,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_rhosts:obj:1 @@ -330252,7 +330268,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_root_login:obj:1 @@ -330262,7 +330278,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_root_password_login:obj:1 @@ -330272,7 +330288,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)AllowTcpForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_tcp_forwarding:obj:1 @@ -330282,7 +330298,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_user_known_hosts:obj:1 @@ -330292,7 +330308,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_x11_forwarding:obj:1 @@ -330302,7 +330318,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 @@ -330312,7 +330328,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_gssapi_auth:obj:1 @@ -330322,7 +330338,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)UsePAM(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_pam:obj:1 @@ -330332,7 +330348,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_pubkey_auth:obj:1 @@ -330342,7 +330358,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_strictmodes:obj:1 @@ -330352,7 +330368,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_warning_banner:obj:1 @@ -330362,7 +330378,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_warning_banner_net:obj:1 @@ -330372,7 +330388,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_x11_forwarding:obj:1 @@ -330387,7 +330403,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_print_last_log:obj:1 @@ -330397,7 +330413,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_set_keepalive_0:obj:1 @@ -330407,7 +330423,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_set_loglevel_info:obj:1 @@ -330417,7 +330433,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_set_loglevel_verbose:obj:1 @@ -330432,7 +330448,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_x11_use_localhost:obj:1 @@ -330482,7 +330498,7 @@ which the system will be deployed as closely as possible.^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b).*$ 1 - + /usr/bin/sudo oval:ssg-exclude_symlinks_sudo_restrict_others_executable_permission:ste:1 oval:ssg-state_file_permissionssudo_restrict_others_executable_permission_0_mode_4110or_stricter_:ste:1 @@ -334282,17 +334298,17 @@ which the system will be deployed as closely as possible.^[\s]*vm.mmap_min_addr[\s]*=[\s]*(.*)[\s]*$ 1 - + multi-user.target - + dnf-automatic\.timer ActiveState - + multi-user.target - + logrotate\.timer ActiveState @@ -334411,12 +334427,12 @@ which the system will be deployed as closely as possible.^(log_file\s*=\s*.*)$ 1 - + /etc/audit/auditd.conf ^[ ]*log_group[ ]+=[ ]+root[ ]*$ 1 - + /etc/audit/auditd.conf ^[ ]*log_group[ ]+=.*$ 1 @@ -334426,7 +334442,7 @@ which the system will be deployed as closely as possible.^\s*GRUB_DISABLE_RECOVERY=(.*)$ 1 - + ^/etc/chrony\.(conf|d/.+\.conf)$ ^([\s]*server[\s]+.+$){2,}$ 1 @@ -334468,7 +334484,7 @@ which the system will be deployed as closely as possible.^VERSION_ID="(\d)"$ 1 - + /etc/debian_version @@ -334493,7 +334509,7 @@ which the system will be deployed as closely as possible. oraclelinux-release - + /etc/os-release @@ -334505,7 +334521,7 @@ which the system will be deployed as closely as possible.openSUSE-release - + /etc/os-release @@ -334634,7 +334650,7 @@ which the system will be deployed as closely as possible. SLE_HPC-release - + /etc/lsb-release @@ -334684,13 +334700,13 @@ which the system will be deployed as closely as possible. openssh-server - - - - - - - + + + + + + + /etc/tmux.conf @@ -334709,13 +334725,13 @@ which the system will be deployed as closely as possible. - + ^(static|none)$ - + 0 - + false false false @@ -334724,7 +334740,7 @@ which the system will be deployed as closely as possible.false false - + false false false @@ -334768,50 +334784,50 @@ which the system will be deployed as closely as possible.false false - + 25 - + ::1 - + - + (?i)root - + - + ^permit_mynetworks[ \t]*[, \t][ \t]*reject$ - + ^.*,sec=krb5\:krb5i\:krb5p.*$ - + 0 - + 0 - + - + maxpoll \d+ - + - + 2 sec=(krb5i|ntlmv2i) - + symbolic link - + /etc/ssh .*_key$ 0 @@ -334827,7 +334843,7 @@ which the system will be deployed as closely as possible.false false - + /etc/ssh .*_key$ @@ -334842,344 +334858,344 @@ which the system will be deployed as closely as possible.false false - + 32 - + 32 - + - + - + - + - + - + - + 0 - + - + - + 0 - + - + 0 - + - + 0 - + 10 - + 30 - + 100 - + - + ^\s*CRYPTO_POLICY\s*=.*-oKexAlgorithms=(?=[\w-])(\becdh-sha2-nistp256\b,?)?(\becdh-sha2-nistp384\b,?)?(\becdh-sha2-nistp521\b,?)?(\bdiffie-hellman-group-exchange-sha256\b,?)?(\bdiffie-hellman-group14-sha256\b,?)?(\bdiffie-hellman-group16-sha512\b,?)?(\bdiffie-hellman-group18-sha512)?(\s.*)?'[\s]*(?:#.*)?$ - + - + - + - + ^.*pam.*$ - + ^.*(try_cert_auth|require_cert_auth).*$ - + ^.*allow_missing_name.*$ - + - + false - + sssd - + - + - + ^LinuxAudit$ - + /etc/systemd/system/default.target ^(/usr)?/lib/systemd/system/multi-user.target$ - + /etc/pam.d/fingerprint-auth /etc/authselect/fingerprint-auth - + /etc/pam.d/password-auth /etc/authselect/password-auth - + /etc/pam.d/postlogin /etc/authselect/postlogin - + /etc/pam.d/smartcard-auth /etc/authselect/smartcard-auth - + /etc/pam.d/system-auth /etc/authselect/system-auth - + - + - + - + - + faillog_t - + - + - + - + - + 0 - + /var/run/faillock - + 2 - + 2 - + - + - + - + 0 - + - + 5000 - + /etc/systemd/system/ctrl-alt-del.target /dev/null - + - + 0 - + 900 - + - + - + - + ^root$ - + - + - + - + - + -1 - + - + - + - + - + - + - + - + - + - + - + - + ^[x*]$ - + ^(!|!!|!\*|\*|!locked)$ - + ^(!\$6\$|!!\$6\$).*$ - + SHA-512 - + .* - + ^(!|!!|!\*|\*|!locked)$ - + 86400000 - + - + - + - + - + - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ - + 0 - + ^[^:]+:[^:]+:[0-9]+:\s*$ - + 1000 - + ^(root|halt|sync|shutdown|nfsnobody)$ - + ^(!|!!|!\*|\*|!locked).*$ - + 0 - + - + - + - + - + - + - + - + directory false false @@ -335191,7 +335207,7 @@ which the system will be deployed as closely as possible.false false - + directory false false @@ -335203,80 +335219,80 @@ which the system will be deployed as closely as possible.false false - + 1 - + - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ regular true - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ - + ^\/[^\/\n]*\/[^\/\n]{1,}.*$ - + ^(nobody|nfsnobody)$ - + - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + ^(nobody|nfsnobody)$ @@ -335288,55 +335304,55 @@ which the system will be deployed as closely as possible.false false - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ - + false - + false - + false - + false - + false - + false - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + - + false false false @@ -335346,16 +335362,16 @@ which the system will be deployed as closely as possible.false false - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ - + ^(nobody|nfsnobody)$ @@ -335368,13 +335384,13 @@ which the system will be deployed as closely as possible.false false - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ @@ -335387,50 +335403,50 @@ which the system will be deployed as closely as possible.false false - + true true - + symbolic link - + ^[:\.] - + :: - + \.\. - + [:\.]$ - + ^[^/] - + [^\\]:[^/] - + - + - + - + - + ^(nobody|nfsnobody)$ - + ^\.bash_history - + @@ -335479,195 +335495,195 @@ which the system will be deployed as closely as possible.true true - + ^/dev/.*$ - + nosuid - + noexec - + true true - + ^/var/tmp/dracut.* - + - + - + - + - + - + - + - + - + SYSLOG - + SINGLE - + HALT - + - + SYSLOG - + SINGLE - + HALT - + - + - + - + - + - + - + rotate - + single - + - + - + - + - + - + ^(?i)(syslog|single|halt)(?-i)$ - + - + - + - + - + ^(?:.*\s)?random\.trust_cpu=on(?:\s.*)?$ - + ^(?:.*\s)?random\.trust_cpu=off(?:\s.*)?$ - + - + - + ^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$ - + - + - + ^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$ - + - + - + \bsystemd.debug-shell\b - + \bsystemd.debug-shell\b - + 416 - + (?=[\S\s]*\s(?i)protocol(?-i)="tcp")(?=[\S\s]*\s(?i)Target(?-i)="[^"]+?")(?=[\S\s]*\s(?i)port(?-i)="6514")(?=[\S\s]*\s(?i)StreamDriver(?-i)="gtls")(?=[\S\s]*\s(?i)StreamDriverMode(?-i)="1")(?=[\S\s]*\s(?i)StreamDriverAuthMode(?-i)="x509/name")(?=[\S\s]*\s(?i)StreamDriver\.CheckExtendedKeyPurpose(?-i)="on") - + 0 - + ResultActive=auth_admin - + PROMISC - + UP - + 0 true - + false true - + 1000 true - + 1000 true - + 0 - + false false false @@ -335679,38 +335695,38 @@ which the system will be deployed as closely as possible.false false - + true - + - + true - + - + regular true - + ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ - + ^/proc/.*$ - + ^/sys/.*$ - + - + - + 1000 @@ -335720,184 +335736,184 @@ which the system will be deployed as closely as possible.true true - + symbolic link - + ^.*\bnousb\b.*$ - + ^/dev/.*$ nodev - + - + ^(?i)0(?-i)$ - + ^(?i)0(?-i)$ - + ^(?i)none(?-i)$ - + ^(?i)none(?-i)$ - + 0 - + 0 - + - + 1 - + ^(block|character) special$ - + device_t - + unlabeled_t - + unconfined_service_t - + ^(enforcing|permissive)$ - + - + - + x86_64 - + \blm\b - + ^(x86_64|aarch64|ppc64le|s390x)$ - + - + - + ^false$ - + - + - + - + - + - + - + /etc/crypto-policies/back-ends/krb5.config - + 1.2 - + - + - + 0:20210617-1 - + ^TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256$ - + ^final all$ - + ^512M 1h$ - + ^no$ - + ^aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc$ - + ^ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256$ - + ^hmac-sha2-512,hmac-sha2-256$ - + ^ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1$ - + - + - + ^'-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'$ - + - + - + /etc/profile.d/openssl-rand.sh SHA-256 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af - + - + fips - + ^(?:.*\s)?fips=1(?:\s.*)?$ - + ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$ - + 1 - + ^p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512$ - + ^.*sha512.*$ - + ^.*acl.*$ - + ^.*xattrs.*$ @@ -335905,73 +335921,73 @@ which the system will be deployed as closely as possible.false false - + fail - + fail - + fail - + - + /etc/sudoers.d - + ^yes$ - + ^security$ - + 4ae0493b fd431d51 - + 5b32db75 d4082792 - + 5ccc5b19 8483c65d - + - + - + - + - + - + 0 - + - + - + - + - + - + ## Unsuccessful file access (any other opens) This has to go last. -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access @@ -335979,14 +335995,14 @@ which the system will be deployed as closely as possible. - + ## Successful file access (any other opens) This has to go last. ## These next two are likely to result in a whole lot of events -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access - + ## First rule - delete all -D @@ -336002,7 +336018,7 @@ which the system will be deployed as closely as possible. - + ## Unsuccessful file creation (open with O_CREAT) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create @@ -336018,7 +336034,7 @@ which the system will be deployed as closely as possible. - + ## Successful file creation (open with O_CREAT) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create @@ -336028,7 +336044,7 @@ which the system will be deployed as closely as possible. - + ## Unsuccessful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete @@ -336036,19 +336052,19 @@ which the system will be deployed as closely as possible. - + ## Successful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete - + ## Make the loginuid immutable. This prevents tampering with the auid. --loginuid-immutable - + ## Unsuccessful file modifications (open for write or truncate) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification @@ -336064,7 +336080,7 @@ which the system will be deployed as closely as possible. - + ## Successful file modifications (open for write or truncate) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification @@ -336074,7 +336090,7 @@ which the system will be deployed as closely as possible. - + ## These rules watch for kernel module insertion. By monitoring ## the syscall, we do not need any watches on programs. -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load @@ -336083,7 +336099,7 @@ which the system will be deployed as closely as possible. - + ## The purpose of these rules is to meet the requirements for Operating ## System Protection Profile (OSPP)v4.2. These rules depends on having ## the following rule files copied to /etc/audit/rules.d: @@ -336170,7 +336186,7 @@ which the system will be deployed as closely as possible. - + ## Unsuccessful ownership change -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change @@ -336178,13 +336194,13 @@ which the system will be deployed as closely as possible. - + ## Successful ownership change -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change - + ## Unsuccessful permission change -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change @@ -336192,681 +336208,681 @@ which the system will be deployed as closely as possible. - + ## Successful permission change -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change - + ^(?i)50(?-i)$ - + ^(?i)yes(?-i)$ - + ^(?i)ENRICHED(?-i)$ - + ^(?i)yes(?-i)$ - + ^(?:.*\s)?selinux=0(?:\s.*)?$ - + ^(?:.*\s)?selinux=0(?:\s.*)?$ - + ^(?:.*\s)?selinux=0(?:\s.*)?$ - + ^true$ - + ^'lock-screen'$ - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + symbolic link - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + symbolic link - + false false - + false false - + false false - + false false - + symbolic link - + ^no$ - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 4 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + symbolic link - + - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 104 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + false false false @@ -336878,62 +336894,62 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + symbolic link - + false false false @@ -336944,7 +336960,7 @@ which the system will be deployed as closely as possible.false false - + false false false @@ -336955,10 +336971,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -336968,10 +336984,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -336985,10 +337001,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -336998,10 +337014,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337015,10 +337031,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337030,10 +337046,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337044,10 +337060,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337058,10 +337074,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337072,10 +337088,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337086,10 +337102,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337100,10 +337116,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337115,10 +337131,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337129,10 +337145,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337143,10 +337159,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337157,10 +337173,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337171,10 +337187,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337184,10 +337200,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337201,10 +337217,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337214,10 +337230,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337227,10 +337243,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337240,10 +337256,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337253,10 +337269,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337270,10 +337286,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337285,29 +337301,29 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false - + false false - + false false - + false false - + symbolic link - + false false false @@ -337319,10 +337335,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337332,10 +337348,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337347,20 +337363,20 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false false false - + symbolic link - + false false false @@ -337371,10 +337387,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337385,727 +337401,727 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + ^nftables$ - + ^(?:.*\s)?audit=1(?:\s.*)?$ - + ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ - + ^(?:.*\s)?iommu=force(?:\s.*)?$ - + ^(?:.*\s)?ipv6\.disable=1(?:\s.*)?$ - + - + ^(?:.*\s)?mce=0(?:\s.*)?$ - + ^(?:.*\s)?page_poison=1(?:\s.*)?$ - + ^(?:.*\s)?pti=on(?:\s.*)?$ - + - + ^(?:.*\s)?slab_nomerge=yes(?:\s.*)?$ - + - + - + ^(?:.*\s)?spectre_v2=on(?:\s.*)?$ - + ^(?:.*\s)?vsyscall=none(?:\s.*)?$ - + ^yes$ - + ^yes$ - + ^persistent$ - + n - + - + y - + - + n - + - + y - + - + y - + - + n - + - + n - + - + y - + - + n - + - + y - + - + y - + - + y - + - + y - + - + 65536 - + - + n - + - + y - + - + y - + - + y - + - + y - + - + n - + - + n - + - + n - + - + n - + - + n - + - + n - + - + n - + - + y - + - + n - + - + y - + - + y - + - + y - + - + - + - + - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + - + - + n - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + n - + - + y - + - + y - + - + y - + - + y - + - + n - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + n - + - + nosuid - + 1 nosuid - + noauto - + 1 noauto - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + grpquota - + 1 grpquota - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + usrquota - + 1 usrquota - + ^.*sec=krb5:krb5i:krb5p.*$ - + ^.*nodev.*$ - + ^.*,?nodev,?.*$ - + ^.*,?nodev,?.* - + ^.*noexec.*$ - + ^.*,?noexec,?.*$ - + ^.*,?noexec,?.* - + ^.*nosuid.*$ - + ^.*,?nosuid,?.*$ - + ^.*,?nosuid,?.* - + nosuid - + 1 nosuid - + - + 1 - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + 0 - + 0 - + 0 - + 0 - + symbolic link - + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) - + regular - + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) - + regular - + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) - + regular false false @@ -338117,2099 +338133,2099 @@ which the system will be deployed as closely as possible.false false - + abrt_anon_write - + abrt_handle_event - + abrt_upload_watch_anon_write - + antivirus_can_scan_system - + antivirus_use_jit - + auditadm_exec_content - + authlogin_nsswitch_use_ldap - + authlogin_radius - + authlogin_yubikey - + awstats_purge_apache_log_files - + boinc_execmem - + cdrecord_read_content - + cluster_can_network_connect - + cluster_manage_all_files - + cluster_use_execmem - + cobbler_anon_write - + cobbler_can_network_connect - + cobbler_use_cifs - + cobbler_use_nfs - + collectd_tcp_network_connect - + condor_tcp_network_connect - + conman_can_network - + container_connect_any - + cron_can_relabel - + cron_system_cronjob_use_shares - + cron_userdomain_transition - + cups_execmem - + cvs_read_shadow - + daemons_dump_core - + daemons_enable_cluster_mode - + daemons_use_tcp_wrapper - + daemons_use_tty - + dbadm_exec_content - + dbadm_manage_user_files - + dbadm_read_user_files - + deny_execmem - + deny_ptrace - + dhcpc_exec_iptables - + dhcpd_use_ldap - + domain_fd_use - + domain_kernel_load_modules - + entropyd_use_audio - + exim_can_connect_db - + exim_manage_user_files - + exim_read_user_files - + fcron_crond - + fenced_can_network_connect - + fenced_can_ssh - + fips_mode - + ftpd_anon_write - + ftpd_connect_all_unreserved - + ftpd_connect_db - + ftpd_full_access - + ftpd_use_cifs - + ftpd_use_fusefs - + ftpd_use_nfs - + ftpd_use_passive_mode - + git_cgi_enable_homedirs - + git_cgi_use_cifs - + git_cgi_use_nfs - + git_session_bind_all_unreserved_ports - + git_session_users - + git_system_enable_homedirs - + git_system_use_cifs - + git_system_use_nfs - + gitosis_can_sendmail - + glance_api_can_network - + glance_use_execmem - + glance_use_fusefs - + global_ssp - + gluster_anon_write - + gluster_export_all_ro - + gluster_export_all_rw - + gpg_web_anon_write - + gssd_read_tmp - + guest_exec_content - + haproxy_connect_any - + httpd_anon_write - + httpd_builtin_scripting - + httpd_can_check_spam - + httpd_can_connect_ftp - + httpd_can_connect_ldap - + httpd_can_connect_mythtv - + httpd_can_connect_zabbix - + httpd_can_network_connect - + httpd_can_network_connect_cobbler - + httpd_can_network_connect_db - + httpd_can_network_memcache - + httpd_can_network_relay - + httpd_can_sendmail - + httpd_dbus_avahi - + httpd_dbus_sssd - + httpd_dontaudit_search_dirs - + httpd_enable_cgi - + httpd_enable_ftp_server - + httpd_enable_homedirs - + httpd_execmem - + httpd_graceful_shutdown - + httpd_manage_ipa - + httpd_mod_auth_ntlm_winbind - + httpd_mod_auth_pam - + httpd_read_user_content - + httpd_run_ipa - + httpd_run_preupgrade - + httpd_run_stickshift - + httpd_serve_cobbler_files - + httpd_setrlimit - + httpd_ssi_exec - + httpd_sys_script_anon_write - + httpd_tmp_exec - + httpd_tty_comm - + httpd_unified - + httpd_use_cifs - + httpd_use_fusefs - + httpd_use_gpg - + httpd_use_nfs - + httpd_use_openstack - + httpd_use_sasl - + httpd_verify_dns - + icecast_use_any_tcp_ports - + irc_use_any_tcp_ports - + irssi_use_full_network - + kdumpgui_run_bootloader - + kerberos_enabled - + ksmtuned_use_cifs - + ksmtuned_use_nfs - + logadm_exec_content - + logging_syslogd_can_sendmail - + logging_syslogd_run_nagios_plugins - + logging_syslogd_use_tty - + login_console_enabled - + logrotate_use_nfs - + logwatch_can_network_connect_mail - + lsmd_plugin_connect_any - + mailman_use_fusefs - + mcelog_client - + mcelog_exec_scripts - + mcelog_foreground - + mcelog_server - + minidlna_read_generic_user_content - + mmap_low_allowed - + mock_enable_homedirs - + mount_anyfile - + mozilla_plugin_bind_unreserved_ports - + mozilla_plugin_can_network_connect - + mozilla_plugin_use_bluejeans - + mozilla_plugin_use_gps - + mozilla_plugin_use_spice - + mozilla_read_content - + mpd_enable_homedirs - + mpd_use_cifs - + mpd_use_nfs - + mplayer_execstack - + mysql_connect_any - + nagios_run_pnp4nagios - + nagios_run_sudo - + named_tcp_bind_http_port - + named_write_master_zones - + neutron_can_network - + nfs_export_all_ro - + nfs_export_all_rw - + nfsd_anon_write - + nis_enabled - + nscd_use_shm - + openshift_use_nfs - + openvpn_can_network_connect - + openvpn_enable_homedirs - + openvpn_run_unconfined - + pcp_bind_all_unreserved_ports - + pcp_read_generic_logs - + piranha_lvs_can_network_connect - + polipo_connect_all_unreserved - + polipo_session_bind_all_unreserved_ports - + polipo_session_users - + polipo_use_cifs - + polipo_use_nfs - + polyinstantiation_enabled - + postfix_local_write_mail_spool - + postgresql_can_rsync - + postgresql_selinux_transmit_client_label - + postgresql_selinux_unconfined_dbadm - + postgresql_selinux_users_ddl - + pppd_can_insmod - + pppd_for_user - + privoxy_connect_any - + prosody_bind_http_port - + puppetagent_manage_all_files - + puppetmaster_use_db - + racoon_read_shadow - + rsync_anon_write - + rsync_client - + rsync_export_all_ro - + rsync_full_access - + samba_create_home_dirs - + samba_domain_controller - + samba_enable_home_dirs - + samba_export_all_ro - + samba_export_all_rw - + samba_load_libgfapi - + samba_portmapper - + samba_run_unconfined - + samba_share_fusefs - + samba_share_nfs - + sanlock_use_fusefs - + sanlock_use_nfs - + sanlock_use_samba - + saslauthd_read_shadow - + secadm_exec_content - + secure_mode - + secure_mode_insmod - + secure_mode_policyload - + selinuxuser_direct_dri_enabled - + selinuxuser_execheap - + selinuxuser_execmod - + selinuxuser_execstack - + selinuxuser_mysql_connect_enabled - + selinuxuser_ping - + selinuxuser_postgresql_connect_enabled - + selinuxuser_rw_noexattrfile - + selinuxuser_share_music - + selinuxuser_tcp_server - + selinuxuser_udp_server - + selinuxuser_use_ssh_chroot - + sge_domain_can_network_connect - + sge_use_nfs - + smartmon_3ware - + smbd_anon_write - + spamassassin_can_network - + spamd_enable_home_dirs - + squid_connect_any - + squid_use_tproxy - + ssh_chroot_rw_homedirs - + ssh_keysign - + ssh_sysadm_login - + staff_exec_content - + staff_use_svirt - + swift_can_network - + sysadm_exec_content - + telepathy_connect_all_ports - + telepathy_tcp_connect_generic_network_ports - + tftp_anon_write - + tftp_home_dir - + tmpreaper_use_nfs - + tmpreaper_use_samba - + tor_bind_all_unreserved_ports - + tor_can_network_relay - + unconfined_chrome_sandbox_transition - + unconfined_login - + unconfined_mozilla_plugin_transition - + unprivuser_use_svirt - + use_ecryptfs_home_dirs - + use_fusefs_home_dirs - + use_lpd_server - + use_nfs_home_dirs - + use_samba_home_dirs - + user_exec_content - + varnishd_connect_any - + virt_read_qemu_ga_data - + virt_rw_qemu_ga_data - + virt_sandbox_use_all_caps - + virt_sandbox_use_audit - + virt_sandbox_use_mknod - + virt_sandbox_use_netlink - + virt_sandbox_use_sys_admin - + virt_transition_userdomain - + virt_use_comm - + virt_use_execmem - + virt_use_fusefs - + virt_use_nfs - + virt_use_rawip - + virt_use_samba - + virt_use_sanlock - + virt_use_usb - + virt_use_xserver - + webadm_manage_user_files - + webadm_read_user_files - + wine_mmap_zero_ignore - + xdm_bind_vnc_tcp_port - + xdm_exec_bootloader - + xdm_sysadm_login - + xdm_write_home - + xen_use_nfs - + xend_run_blktap - + xend_run_qemu - + xguest_connect_network - + xguest_exec_content - + xguest_mount_media - + xguest_use_bluetooth - + xserver_clients_write_xshm - + xserver_execmem - + xserver_object_manager - + zabbix_can_network - + zarafa_setrlimit - + zebra_write_config - + zoneminder_anon_write - + zoneminder_run_sudo - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + auditd.service - + auditd.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + chronyd.service - + chronyd.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + cron.service - + cron.socket - + active - + crond.service - + crond.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + fapolicyd.service - + fapolicyd.socket - + active - + firewalld.service - + firewalld.socket - + active - + inactive|failed - + masked - + ip6tables.service - + ip6tables.socket - + active - + iptables.service - + iptables.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + nails.service - + nails.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + nftables.service - + nftables.socket - + active - + ntp.service - + ntp.socket - + active - + ntpd.service - + ntpd.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + pcscd.service - + pcscd.socket - + active - + inactive|failed - + masked - + postfix.service - + postfix.socket - + active - + psacct.service - + psacct.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + rngd.service - + rngd.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + rsyslog.service - + rsyslog.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + sshd.service - + sshd.socket - + active - + sssd.service - + sssd.socket - + active - + inactive|failed - + masked - + syslog-ng.service - + syslog-ng.socket - + active - + inactive|failed - + masked - + masked - + systemd-journald.service - + systemd-journald.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + ufw.service - + ufw.socket - + active - + usbguard.service - + usbguard.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + masked - + ^no$ - + ^no$ - + ^no$ - + ^no$ - + ^yes$ - + ^no$ - + ^prohibit-password$ - + ^no$ - + ^yes$ - + ^no$ - + ^no$ - + ^yes$ - + ^yes$ - + ^yes$ - + ^yes$ - + ^/etc/issue$ - + ^/etc/issue.net$ - + ^yes$ - + ^yes$ - + ^0$ - + ^INFO$ - + ^VERBOSE$ - + ^32$ - + ^yes$ - + - + - + - + false false false @@ -340220,682 +340236,682 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + 1 - + 1 - + 1 - + 1 - + 0 - + 0 - + |/bin/false - + |/bin/false - + 0 - + 0 - + 1 - + 1 - + 1 - + 1 - + 1 - + 2 - + 1 - + 2 - + 1 - + 1 - + 1 - + 1 - + 1 - + 1 - + 1 - + 1 - + 2 - + 2 - + 65536 - + 65536 - + 2 - + 2 - + 0 - + 0 - + 1 - + 1 - + 1 - + 1 - + 2 - + 2 - + 0 - + 0 - + - + - + - + - + - + - + - + - + 1 - + 1 - + - + - + - + - + 0 - + 0 - + 1 - + 2 - + 1 - + 2 - + - + - + 0 - + 0 - + - + - + - + - + - + - + - + - + - + - + - + - + 0 - + 0 - + - + - + - + - + - + - + 0 - + 0 - + 32768\s*65535 - + 32768\s*65535 - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 1 - + 1 - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 1 - + 1 - + - + - + - + - + 0 - + 0 - + 65536 - + 65536 - + dnf-automatic.timer - + active - + logrotate.timer - + active - + ^(?:.*\s)?audit=1(?:\s.*)?$ - + ^(?:.*\s)?audit=1(?:\s.*)?$ - + ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ - + ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ - + ^(?:.*\s)?page_poison=1(?:\s.*)?$ - + ^(?:.*\s)?page_poison=1(?:\s.*)?$ - + ^(?:.*\s)?slub_debug=P(?:\s.*)?$ - + ^(?:.*\s)?slub_debug=P(?:\s.*)?$ - + ^(?:.*\s)?vsyscall=none(?:\s.*)?$ - + ^(?:.*\s)?vsyscall=none(?:\s.*)?$ - + ^(true|"true")$ - + ^23.*$ - + ^7.*$ - + centos - + 8 - + centos - + 9 - + ol - + ^7.*$ - + ^8.*$ - + ^9.*$ - + openSUSE-release - + unix - + rhcos - + 4 - + 9 - + rhel - + unix - + ^7.*$ - + ^7.*$ - + ^7.*$ - + ^7.*$ - + 7 - + unix - + ^8.*$ - + ^8.0*$ - + ^8.1*$ - + ^8.2*$ - + ^8.3*$ - + ^8.4*$ - + ^8.5*$ - + ^8.6*$ - + ^8.7*$ - + ^8.8*$ - + ^8.9*$ - + ^8.10*$ - + 8 - + unix - + ^9.*$ - + 9 - + 0:4.4 - + ^7.*$ - + unix - + ^12.*$ - + ^12.*$ - + ^12.*$ - + unix - + ^15.*$ - + ^15.*$ - + ^15.*$ - + ^4.*$ - + ^15.*$ - + bwrap-osbuild - + 1 - + 2 - + 0 - + 0:7.4 - + aarch64 - + ppc64 - + ppc64le - + s390x - + i686 - + x86_64 true - + /dev/cdrom - - - - - + + + + + - + ^[\s]*RekeyLimit[\s]+ @@ -340904,14 +340920,14 @@ which the system will be deployed as closely as possible.[\s]*$ - - - + + + - + @@ -340919,19 +340935,19 @@ which the system will be deployed as closely as possible. ^(dmz|external|home|internal|public|trusted|work)\.xml$ - + - + - - - + + + ^ @@ -340940,43 +340956,43 @@ which the system will be deployed as closely as possible.[\s]*$ - - - - - - - - + + + + + + + + - + - - + + - + - - - - - - - - - + + + + + + + + + @@ -340984,7 +341000,7 @@ which the system will be deployed as closely as possible.^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit - + ^\s*password\s+(?: @@ -340997,13 +341013,13 @@ which the system will be deployed as closely as possible. - + ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ - + ^\s*remember\s*=\s*([0-9]+) - + ^\s*password\s+(?: @@ -341015,57 +341031,57 @@ which the system will be deployed as closely as possible. - + ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ - + ^\s*remember\s*=\s*([0-9]+) - + ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*$ - + ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ - + ^\s*remember\s*=\s*([0-9]+) ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit - + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) - + ^[\s]*deny[\s]*=[\s]*([0-9]+) - - + + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root - + ^[\s]*even_deny_root - + dir\s*=\s*(\S+|"[^"]+) @@ -341081,7 +341097,7 @@ which the system will be deployed as closely as possible. - + @@ -341090,7 +341106,7 @@ which the system will be deployed as closely as possible. - + @@ -341099,68 +341115,68 @@ which the system will be deployed as closely as possible. - + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*local_users_only - + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) - + ^[\s]*fail_interval[\s]*=[\s]*([0-9]+) - + ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]+preauth[^\n#]+silent - + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) - + ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) - - - + + + - - - - + + + + - + @@ -341168,63 +341184,63 @@ which the system will be deployed as closely as possible. - + - + - + - + - - + + - + - + - - + + - - + + - - - + + + @@ -341235,25 +341251,25 @@ which the system will be deployed as closely as possible.86400 - + - + 5000 - - + + 5000 - + - + - + ^ @@ -341262,60 +341278,60 @@ which the system will be deployed as closely as possible.:[^:]+:[0-9]+:.*$ - - + + - + - + - + - - - + + + - - + + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$ - + - + - + - + - + ^[^#]* @@ -341323,189 +341339,189 @@ which the system will be deployed as closely as possible. - - + + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$ - + - + - + - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + - + - + - + - + - + - + 64 @@ -341518,22 +341534,22 @@ which the system will be deployed as closely as possible. - + - + - + - + 64 @@ -341546,22 +341562,22 @@ which the system will be deployed as closely as possible. - + - + - + - + 64 @@ -341602,29 +341618,29 @@ which the system will be deployed as closely as possible. - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + - + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - + - + - + @@ -341653,91 +341669,91 @@ which the system will be deployed as closely as possible. - - - - + + + + (?i) - - + + (?i) - - - - - - - - - - - - + + + + + + + + + + + + (?i) - - + + - + - + - + - + /boot/config- - + - + - + - + - + - + - + - + - + 64 @@ -341756,44 +341772,44 @@ which the system will be deployed as closely as possible. - - + + - + - + - + - + - + - + - + - + - + - + 64 @@ -341806,114 +341822,114 @@ which the system will be deployed as closely as possible. - + - - - + + + - + - + - + - - - + + + - + - - + + - + - + - + - + Ciphers - + -oCiphers= - + MACs - + -oMACs= - + - - + + / - + - + ^ :x:(\d+):.*$ - - - - - - - - - - - + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -341986,22 +342002,22 @@ which the system will be deployed as closely as possible. ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - + ^\-w[\s]+ [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ - - + + ^\-w[\s]+ \/var\/log\/lastlog [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ - + ^\-w[\s]+ \/var\/log\/tallylog @@ -343834,948 +343850,948 @@ which the system will be deployed as closely as possible. - + ^\-w[\s]+ \/var\/log\/sudo.log [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ - + - + ^(?:.*\s)?l1tf= (?:\s.*)?$ - - + + ^(?:.*\s)?rng_core.default_quality= (?:\s.*)?$ - - + + ^(?:.*\s)?slub_debug= (?:\s.*)?$ - - + + ^(?:.*\s)?spec_store_bypass_disable= (?:\s.*)?$ - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + + - + - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344783,7 +344799,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344791,7 +344807,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344799,7 +344815,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344807,7 +344823,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344815,7 +344831,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344823,7 +344839,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344831,7 +344847,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344839,7 +344855,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344847,7 +344863,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344855,7 +344871,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344863,7 +344879,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344871,7 +344887,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344879,7 +344895,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344887,7 +344903,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344895,7 +344911,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344903,7 +344919,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344911,7 +344927,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344919,7 +344935,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344927,7 +344943,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344935,7 +344951,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344943,7 +344959,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344951,497 +344967,497 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - - + + /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - + /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - - + + hidepid= - + - + ^/etc/rsyslog.conf$ - + - + - + - + - + ^/etc/rsyslog.conf$ - + - + - + - + - + ^/etc/rsyslog.conf$ - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /etc/pam.d/system-auth - + - + /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 - - - + + + - + - + - + 64 @@ -345454,23 +345470,23 @@ which the system will be deployed as closely as possible. - - + + - + - + - + 64 @@ -345486,13 +345502,13 @@ which the system will be deployed as closely as possible. - + build_shorthand.py from SCAP Security Guide ssg: 0.1.71 2.0 - 2023-11-08T00:06:40 + 2023-11-09T00:08:47 @@ -381102,16 +381118,16 @@ $ rpm -q abrt-addon-ccpp - - + + - combine_ovals.py from SCAP Security Guide + Script combine_ovals.py from SCAP Security Guide ssg: [0, 1, 71], python: 3.10.12 5.11 - 2023-11-08T00:06:20 + 2023-11-09T00:08:34 - + Alibaba Cloud Linux 2 @@ -381125,7 +381141,7 @@ $ rpm -q abrt-addon-ccpp - + Alibaba Cloud Linux 3 @@ -381139,7 +381155,7 @@ $ rpm -q abrt-addon-ccpp - + Anolis OS 8 @@ -381153,7 +381169,7 @@ $ rpm -q abrt-addon-ccpp - + Debian Linux 10 @@ -381167,7 +381183,7 @@ $ rpm -q abrt-addon-ccpp - + Debian Linux 11 @@ -381181,7 +381197,7 @@ $ rpm -q abrt-addon-ccpp - + Debian Linux 12 @@ -381195,7 +381211,7 @@ $ rpm -q abrt-addon-ccpp - + openSUSE Leap 15 @@ -381209,7 +381225,7 @@ $ rpm -q abrt-addon-ccpp - + openSUSE Leap 42 @@ -381225,7 +381241,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu 22.04 LTS @@ -381239,7 +381255,7 @@ $ rpm -q abrt-addon-ccpp - + UnionTech OS Server 20 @@ -381253,7 +381269,7 @@ $ rpm -q abrt-addon-ccpp - + Red Hat Virtualization 4 @@ -381263,42 +381279,42 @@ $ rpm -q abrt-addon-ccpp The application installed installed on the system is Red Hat Virtualization 4. - + - + Package grub2 is installed Red Hat Enterprise Linux 8 - Checks if package grub2-common is installed. + Checks if package grub2-common is installed. - - + + - + Package providing /etc/login.defs is installed Red Hat Enterprise Linux 8 - Checks if package providing /etc/login.defs and is installed. + Checks if package providing /etc/login.defs and is installed. - + - + Check if the system doesn't act as an oVirt host or manager @@ -381306,78 +381322,78 @@ $ rpm -q abrt-addon-ccpp Check if the system has neither ovirt-host nor ovirt-engine installed. - - + + - + Check if the system acts as an oVirt host or manager Red Hat Enterprise Linux 8 - Check if the system has ovirt-host or ovirt-engine installed + Check if the system has ovirt-host or ovirt-engine installed - + WiFi interface is present Red Hat Enterprise Linux 8 - Checks if any wifi interface is present. + Checks if any wifi interface is present. - + - + Check if the scan target is a container Red Hat Enterprise Linux 8 - Check for presence of files characterizing container filesystems. + Check for presence of files characterizing container filesystems. - + Check if the scan target is a machine Red Hat Enterprise Linux 8 - Check for absence of files characterizing container filesystems. + Check for absence of files characterizing container filesystems. - - + + - + System runs on UEK kernel Red Hat Enterprise Linux 8 - Check if System is running on UEK kernel. + Check if System is running on UEK kernel. - + Kerberos server is older than 1.17-18 @@ -381391,7 +381407,7 @@ $ rpm -q abrt-addon-ccpp - + Kerberos workstation is older than 1.17-18 @@ -381405,7 +381421,7 @@ $ rpm -q abrt-addon-ccpp - + Test that the architecture is aarch64 @@ -381413,11 +381429,11 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64 - + - + Test for different architecture than aarch64 @@ -381425,11 +381441,11 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64 - - + + - + Test for different architecture than s390x @@ -381437,11 +381453,11 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x - - + + - + Test that the architecture is ppc64le @@ -381449,11 +381465,11 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le - + - + Test that the architecture is s390x @@ -381461,90 +381477,90 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x - + - + Running kernel has fips mode enabled Red Hat Enterprise Linux 8 - Check if sysctl crypto.fips_enabled = 1 + Check if sysctl crypto.fips_enabled = 1 - - + + - + Secure Boot status check Red Hat Enterprise Linux 8 - Check if System has Secure Boot enabled. + Check if System has Secure Boot enabled. - + - + SELinux status check Red Hat Enterprise Linux 8 - Check if System has SELinux enabled. + Check if System has SELinux enabled. - + SSSD is configured to use LDAP Red Hat Enterprise Linux 8 - Identification provider is not set to ad within /etc/sssd/sssd.conf + Identification provider is not set to ad within /etc/sssd/sssd.conf - - + + - + Non-UEFI system boot mode check Red Hat Enterprise Linux 8 - Check if System boot mode is non-UEFI. + Check if System boot mode is non-UEFI. - - + + - + UEFI system boot mode check Red Hat Enterprise Linux 8 - Check if system boot mode is UEFI. + Check if system boot mode is UEFI. - - + + - + Anolis OS 23 @@ -381558,7 +381574,7 @@ $ rpm -q abrt-addon-ccpp - + CentOS 7 @@ -381573,7 +381589,7 @@ $ rpm -q abrt-addon-ccpp - + CentOS 8 @@ -381589,7 +381605,7 @@ $ rpm -q abrt-addon-ccpp - + CentOS Stream 9 @@ -381605,7 +381621,7 @@ $ rpm -q abrt-addon-ccpp - + Debian @@ -381618,7 +381634,7 @@ $ rpm -q abrt-addon-ccpp - + Installed operating system is Fedora @@ -381637,7 +381653,7 @@ $ rpm -q abrt-addon-ccpp - + @@ -381649,7 +381665,7 @@ $ rpm -q abrt-addon-ccpp - + Oracle Linux 7 @@ -381659,14 +381675,14 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Oracle Linux 7 - + - + Oracle Linux 8 @@ -381676,14 +381692,14 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Oracle Linux 8 - + - + Oracle Linux 9 @@ -381693,14 +381709,14 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Oracle Linux 9 - + - + OpenEmbedded @@ -381714,7 +381730,7 @@ $ rpm -q abrt-addon-ccpp - + openSUSE @@ -381727,7 +381743,7 @@ $ rpm -q abrt-addon-ccpp - + Installed operating system is part of the Unix family @@ -381735,11 +381751,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is part of the Unix OS family - + - + Poky @@ -381753,7 +381769,7 @@ $ rpm -q abrt-addon-ccpp - + Red Hat Enterprise Linux CoreOS @@ -381763,14 +381779,14 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux CoreOS release 4 - + - + Red Hat Enterprise Linux CoreOS RHEL9 Based @@ -381780,11 +381796,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux CoreOS RHEL9 Based - + - + @@ -381796,7 +381812,7 @@ $ rpm -q abrt-addon-ccpp - + Red Hat Enterprise Linux 7 @@ -381806,21 +381822,21 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 7 - + - + - + Red Hat Enterprise Linux 8 @@ -381830,18 +381846,18 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8 - + - + - + Red Hat Enterprise Linux 8.0 @@ -381850,11 +381866,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.0 - + - + Red Hat Enterprise Linux 8.1 @@ -381863,11 +381879,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.1 - + - + Red Hat Enterprise Linux 8.2 @@ -381876,11 +381892,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.2 - + - + Red Hat Enterprise Linux 8.3 @@ -381889,11 +381905,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.3 - + - + Red Hat Enterprise Linux 8.4 @@ -381902,11 +381918,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.4 - + - + Red Hat Enterprise Linux 8.5 @@ -381915,11 +381931,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.5 - + - + Red Hat Enterprise Linux 8.6 @@ -381928,11 +381944,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.6 - + - + Red Hat Enterprise Linux 8.7 @@ -381941,11 +381957,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.7 - + - + Red Hat Enterprise Linux 8.8 @@ -381954,11 +381970,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.8 - + - + Red Hat Enterprise Linux 8.9 @@ -381967,11 +381983,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.9 - + - + Red Hat Enterprise Linux 8.10 @@ -381980,11 +381996,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.10 - + - + Red Hat Enterprise Linux 9 @@ -381994,18 +382010,18 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 9 - + - + - + Red Hat Virtualization 4 @@ -382020,7 +382036,7 @@ $ rpm -q abrt-addon-ccpp - + Scientific Linux 7 @@ -382035,7 +382051,7 @@ $ rpm -q abrt-addon-ccpp - + SUSE Linux Enterprise 12 @@ -382046,7 +382062,7 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is SUSE Linux Enterprise 12. - + @@ -382055,7 +382071,7 @@ $ rpm -q abrt-addon-ccpp - + SUSE Linux Enterprise 15 @@ -382066,7 +382082,7 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is SUSE Linux Enterprise 15. - + @@ -382077,7 +382093,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu @@ -382091,7 +382107,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu 16.04 LTS @@ -382105,7 +382121,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu 18.04 LTS @@ -382119,7 +382135,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu 20.04 LTS @@ -382133,33 +382149,33 @@ $ rpm -q abrt-addon-ccpp - + System uses zIPL Red Hat Enterprise Linux 8 - Checks if system uses zIPL bootloader. + Checks if system uses zIPL bootloader. - + - + Check if the environment is a OSBuild pipeline Red Hat Enterprise Linux 8 - Check the value of environment variable container. + Check the value of environment variable container. - + - + IPv6 is enabled on system @@ -382168,11 +382184,11 @@ $ rpm -q abrt-addon-ccpp - - + + - + Mountpoint /home is active (mounted) or configured in /etc/fstab @@ -382181,15 +382197,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /opt is active (mounted) or configured in /etc/fstab @@ -382198,15 +382214,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /srv is active (mounted) or configured in /etc/fstab @@ -382215,15 +382231,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /tmp is active (mounted) or configured in /etc/fstab @@ -382232,15 +382248,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /var/log/audit is active (mounted) or configured in /etc/fstab @@ -382249,15 +382265,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /var/log is active (mounted) or configured in /etc/fstab @@ -382266,15 +382282,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /var/tmp is active (mounted) or configured in /etc/fstab @@ -382283,15 +382299,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /var is active (mounted) or configured in /etc/fstab @@ -382300,15 +382316,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Operating System is ol @@ -382321,7 +382337,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is ol @@ -382334,7 +382350,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382347,7 +382363,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382360,7 +382376,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382373,7 +382389,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382386,7 +382402,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382399,7 +382415,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382412,7 +382428,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382425,7 +382441,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382438,7 +382454,7 @@ $ rpm -q abrt-addon-ccpp - + Package audit is installed @@ -382446,11 +382462,11 @@ $ rpm -q abrt-addon-ccpp The RPM package audit should be installed. - + - + Package bash is installed @@ -382458,11 +382474,11 @@ $ rpm -q abrt-addon-ccpp The RPM package bash should be installed. - + - + Package chrony is installed @@ -382470,11 +382486,11 @@ $ rpm -q abrt-addon-ccpp The RPM package chrony should be installed. - + - + Package firewalld is installed @@ -382482,11 +382498,11 @@ $ rpm -q abrt-addon-ccpp The RPM package firewalld should be installed. - + - + Package gdm is installed @@ -382494,11 +382510,11 @@ $ rpm -q abrt-addon-ccpp The RPM package gdm should be installed. - + - + Package iptables is installed @@ -382506,11 +382522,11 @@ $ rpm -q abrt-addon-ccpp The RPM package iptables should be installed. - + - + Package libuser is installed @@ -382518,11 +382534,11 @@ $ rpm -q abrt-addon-ccpp The RPM package libuser should be installed. - + - + Package logrotate is installed @@ -382530,11 +382546,11 @@ $ rpm -q abrt-addon-ccpp The RPM package logrotate should be installed. - + - + Package net-snmp is installed @@ -382542,11 +382558,11 @@ $ rpm -q abrt-addon-ccpp The RPM package net-snmp should be installed. - + - + Package nftables is installed @@ -382554,11 +382570,11 @@ $ rpm -q abrt-addon-ccpp The RPM package nftables should be installed. - + - + Package nss-pam-ldapd is installed @@ -382566,11 +382582,11 @@ $ rpm -q abrt-addon-ccpp The RPM package nss-pam-ldapd should be installed. - + - + Package ntp is installed @@ -382578,11 +382594,11 @@ $ rpm -q abrt-addon-ccpp The RPM package ntp should be installed. - + - + Package pam is installed @@ -382590,11 +382606,11 @@ $ rpm -q abrt-addon-ccpp The RPM package pam should be installed. - + - + Package polkit is installed @@ -382602,11 +382618,11 @@ $ rpm -q abrt-addon-ccpp The RPM package polkit should be installed. - + - + Package postfix is installed @@ -382614,11 +382630,11 @@ $ rpm -q abrt-addon-ccpp The RPM package postfix should be installed. - + - + Package rsh-server is installed @@ -382626,11 +382642,11 @@ $ rpm -q abrt-addon-ccpp The RPM package rsh-server should be installed. - + - + Package shadow-utils is installed @@ -382638,11 +382654,11 @@ $ rpm -q abrt-addon-ccpp The RPM package shadow-utils should be installed. - + - + Package sssd-common is installed @@ -382650,11 +382666,11 @@ $ rpm -q abrt-addon-ccpp The RPM package sssd-common should be installed. - + - + Package sudo is installed @@ -382662,11 +382678,11 @@ $ rpm -q abrt-addon-ccpp The RPM package sudo should be installed. - + - + Package systemd is installed @@ -382674,11 +382690,11 @@ $ rpm -q abrt-addon-ccpp The RPM package systemd should be installed. - + - + Package tftp-server is installed @@ -382686,11 +382702,11 @@ $ rpm -q abrt-addon-ccpp The RPM package tftp-server should be installed. - + - + Package tmux is installed @@ -382698,11 +382714,11 @@ $ rpm -q abrt-addon-ccpp The RPM package tmux should be installed. - + - + Package ufw is installed @@ -382710,11 +382726,11 @@ $ rpm -q abrt-addon-ccpp The RPM package ufw should be installed. - + - + Package usbguard is installed @@ -382722,11 +382738,11 @@ $ rpm -q abrt-addon-ccpp The RPM package usbguard should be installed. - + - + Package yum is installed @@ -382734,11 +382750,11 @@ $ rpm -q abrt-addon-ccpp The RPM package yum should be installed. - + - + The firewalld is disabled on the system @@ -382748,7 +382764,7 @@ $ rpm -q abrt-addon-ccpp - + @@ -382756,582 +382772,582 @@ $ rpm -q abrt-addon-ccpp - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -383392,13 +383408,13 @@ $ rpm -q abrt-addon-ccpp ovirt-engine - + /proc/net/wireless - + /.dockerenv - + /run/.containerenv @@ -383440,7 +383456,7 @@ $ rpm -q abrt-addon-ccpp ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$ 1 - + /sys/firmware/efi @@ -383470,7 +383486,7 @@ $ rpm -q abrt-addon-ccpp ^VERSION_ID="(\d)"$ 1 - + /etc/debian_version @@ -383495,7 +383511,7 @@ $ rpm -q abrt-addon-ccpp oraclelinux-release - + /etc/os-release @@ -383507,7 +383523,7 @@ $ rpm -q abrt-addon-ccpp openSUSE-release - + /etc/os-release @@ -383636,7 +383652,7 @@ $ rpm -q abrt-addon-ccpp SLE_HPC-release - + /etc/lsb-release @@ -383666,7 +383682,7 @@ $ rpm -q abrt-addon-ccpp container - + /etc/default/grub ^\s*GRUB_CMDLINE_LINUX=".*ipv6\.disable=(\d).*$ @@ -383911,11 +383927,11 @@ $ rpm -q abrt-addon-ccpp yum - + ^firewalld\.(service|socket)$ ActiveState - + ^firewalld\.(service|socket)$ LoadState @@ -383924,280 +383940,280 @@ $ rpm -q abrt-addon-ccpp - + ^2.*$ - + ^3.*$ - + ^8.*$ - + ^15.*$ - + ^42.*$ - + ^20.*$ - + ^4.*$ - + ^.*uek.* - + 0:1.17-18 - + 0:1.17-18 - + ^aarch64$ - + ^ppc64le$ - + ^s390x$ - + 1 - + b401b4bd7e4f321db95fcae00d274ab8aa2cf1852d1495c382356d981f63d771 - + ^(enforcing|permissive)$ - + ^23.*$ - + ^7.*$ - + centos - + 8 - + centos - + 9 - + ol - + ^7.*$ - + ^8.*$ - + ^9.*$ - + openSUSE-release - + unix - + rhcos - + 4 - + 9 - + rhel - + unix - + ^7.*$ - + ^7.*$ - + ^7.*$ - + ^7.*$ - + 7 - + unix - + ^8.*$ - + ^8.0*$ - + ^8.1*$ - + ^8.2*$ - + ^8.3*$ - + ^8.4*$ - + ^8.5*$ - + ^8.6*$ - + ^8.7*$ - + ^8.8*$ - + ^8.9*$ - + ^8.10*$ - + 8 - + unix - + ^9.*$ - + 9 - + 0:4.4 - + ^7.*$ - + unix - + ^12.*$ - + ^12.*$ - + ^12.*$ - + unix - + ^15.*$ - + ^15.*$ - + ^15.*$ - + ^4.*$ - + ^15.*$ - + bwrap-osbuild - + ppc64le - + 0 - + ol - + 8.7 - + ol - + 9.0 - + rhel - + 8.2 - + rhel - + 8.7 - + rhel - + 9 - + rhel - + 9.0 - + rhel - + 8.3 - + rhel - + 8.4 - + rhel - + 8.5 - + rhel - + 9.0 - + inactive|failed - + masked diff --git a/ssg-rhel8-ds.xml b/ssg-rhel8-ds.xml index cf5f26e..2127daf 100644 --- a/ssg-rhel8-ds.xml +++ b/ssg-rhel8-ds.xml @@ -25,7 +25,7 @@ - + Red Hat Enterprise Linux 8 @@ -77,9 +77,9 @@ - + - draft + draft Guide to the Secure Configuration of Red Hat Enterprise Linux 8 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of @@ -844,246 +844,246 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - + + + + + + + + + + + - - - - - - + - - - - - - - - - - - - - - - - + + + + + + + + + + + + - - - + + + + - - - - - - - - - - - - + + + - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - + - - - + + + + - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + - + + + + + + - - - - - + + + + + + + + + + + + @@ -1314,320 +1314,320 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - + + + + - - - - - + + + + - - - - - + + + + + + + - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + - - + + - - - + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + @@ -1860,175 +1860,175 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - - + + + + - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + + + + + - - - - + - - - - - - - - - - - - + + + + + + + + + + - + + + + - - - - - - - + + + - - + + - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - - - - + - - - - - - - - - - - - + + + + + - - - - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + - + + + + + + + + + - - - + + + + + + + + + @@ -2269,53 +2269,53 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. A copy of the ANSSI-BP-028 can be found at the ANSSI website: https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ - + + + + + + + + + + + - - - + + + + + - - - - - - - - + + + + - + + + + + + + + + - - - - - - + + + + + - - - - - + - - - - - - - - - - + + + - - - - @@ -2569,365 +2569,365 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - - - + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + - - - - - - - - - - - - - + - - - - - - - + + + + - - - - - - - - - - + - - - - - - + + + + + - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + @@ -3132,289 +3132,289 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - + - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - + + - - - - - - - - - + + - + + + - - + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + - - + + + + - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + - - - - - - + - - - - + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + - - - - - - + + + + + + + + + - - + + + + + + + + + + + + + - - - - - + + - - - - - - - - - - - - - - - - + + + + + + + + + - + + - - - + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - + @@ -3625,282 +3625,282 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - + - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - + + - + + + - - + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + - - - - - - - - - - - + + + + + + - - - - - - + + + + + + + + + - - - - - - - - - - + + + - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - + - - - - - - + + + + + + + + + - - + + + + + + + + + + + + + - - - - + + - - - - - - - - - - - - - - - - + + + + + + + + + + - + + - - - + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - + @@ -4118,361 +4118,361 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content. https://www.cisecurity.org/benchmark/red_hat_linux/ - - - - - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - - - + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + - - - - - - - - - - - - - + - - - - - - - + + + + - - - - - - - - - + - - - - - - + + + + + - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + - - - - - + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + + + + + @@ -4681,111 +4681,111 @@ Policy Resource Center: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center - - - - - - - - - - - - - - - - - - - - - - - + + - + - + + + + + - + + - - - - - + + + + + - - - - - - + - - - - - - - - + + + + + - + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + - - - - - + + - - - - - - - - - + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + - - - - - - - - - - @@ -5032,216 +5032,216 @@ in NIST Special Publication 800-53. This profile configures Red Hat Enterprise Linux 8 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI)." - - - - - - - - - - - - - - + + - - - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - + + + + + - - - - - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - + + + + + + - - - - - + + - - - - - - - - - - - + + + - - + + + + + - - + + + + + + + + + - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + + - + + + + + + + - - - + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + - + + + - - - - - + + + - - - - - - - - - @@ -5474,104 +5474,104 @@ ACSC website: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers - - + + + + + + + + - - - - - - - - + + + - - + + + + - - - + + + + + + - - - - - + + + - - - - - - - - + + + - - - - - - + + + + + + + + + + + + + + + - + + - + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - + - - - + + + - - - - - - - - - - - - - - + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + @@ -5777,163 +5777,163 @@ https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-work - - - - - - - - - Health Insurance Portability and Accountability Act (HIPAA) - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ -electronic personal health information that is created, received, used, or -maintained by a covered entity. The Security Rule requires appropriate -administrative, physical and technical safeguards to ensure the -confidentiality, integrity, and security of electronic protected health -information. - -This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security -Rule identified for securing of electronic protected health information. -Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). - https://www.hhs.gov/hipaa/for-professionals/index.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + Health Insurance Portability and Accountability Act (HIPAA) + The HIPAA Security Rule establishes U.S. national standards to protect individuals’ +electronic personal health information that is created, received, used, or +maintained by a covered entity. The Security Rule requires appropriate +administrative, physical and technical safeguards to ensure the +confidentiality, integrity, and security of electronic protected health +information. + +This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security +Rule identified for securing of electronic protected health information. +Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + https://www.hhs.gov/hipaa/for-professionals/index.html + - - - + + + + + - - + - - - - - + + - + + + + + + + + + - - - + + + + + + + + - - - - - - - - - - + + + + - - - - - - - - - + + + + + + - - - + + + + + + + + + - - + + - - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - + + + + - - - - + + + + - - - + + - - - - - + + + + - + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + @@ -6155,157 +6155,157 @@ A copy of the ISM can be found at the ACSC website: https://www.cyber.gov.au/ism https://www.cyber.gov.au/ism - - + + + + + + + + + + - - - - - - - - - + + + - - - + + + + + + - - - - - - - + + + + + + + + + - - - - - - - + + + - - - - - - - - - + - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - + - - + + + - - - - - - - - - - - - - + + + - - + + + + + + + + + + + + + + + - + + + + + + + + - + + + + + + + + + + + - + - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -6512,216 +6512,216 @@ U.S. National Security Systems to adhere to certain configuration parameters. Accordingly, this configuration profile is suitable for use in U.S. National Security Systems. https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442 - - - - - - - - - - - - - - + + - - - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - + + + + + - - - - - - - - - - + + + - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - + + + + + + - - - - - + + - - - - - - - - - - - + + + - - + + + + + - - + + + + + + + + + - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + + - + + + + + + + - - - + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + - + + + - - - - - + + + - - - - - - - - - @@ -6947,131 +6947,131 @@ use in U.S. National Security Systems. PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Ensures PCI-DSS v3.2.1 security configuration settings are applied. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - - - - - - - - - - - - - - - - - - - - - - - - - + - - + + + + + + + + + + + + + + - - + + - - - - - - - - - - - + - - + + + + + + + + + + + + + - + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + - - - + + + + + + - + + + + + - - - - - - - + + + + - - - - - - - + + - + + + + + - - + + + + + + + + + - - - + + + + + + + - - - - - + + - - - - - - - + + + - - + + + - - - - - - - - + + + + + + + + + + @@ -7297,77 +7297,77 @@ use in U.S. National Security Systems. configuration settings recommended by Red Hat, Inc for Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified Cloud Providers. - - + - - + - - - - - - - + + + + - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - + + - - - - - - - + + + - - - - - - - + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + @@ -7607,85 +7607,85 @@ Cloud Providers. This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload all of these checks should pass. - - - - - - - - - - - - - - - - - + + + - - - - - - - - + + + + + + - - - - - - + + - - - - - - - - + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + - - - + + - - + + + + + + + + + + + + + - - - - - - - - - - - - + + + + + + + + + - - - + + + + + @@ -7924,409 +7924,416 @@ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - + - - + + + + + + + + + + + - - - - - - - - - - - + + + + - - - - - - + + + + + + + + + + + + + + + + + + - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + + + + + - - - - - + + + + + + + + + + + + + + + + + + + - - - + + + + + + @@ -8548,406 +8555,413 @@ your Information Systems Security Officer (ISSO) lacks a documented operational requirement for a graphical user interface, please consider using the standard DISA STIG for Red Hat Enterprise Linux 8 profile. https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - + + + + - - - - - + + + + + + + - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - + - - + + + + + + + + + + + - - - - - - - - - - - + + + + - - - - - - + + + + + + + + + + + + + + + + + + - - - - + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - + + + + + - - - - - + + + + + + + + + + + + + + + + + + + - - - + + + + + + @@ -47463,8 +47477,6 @@ updates as of version 0.1.69. PR.AC-6 SRG-OS-000123-GPOS-00064 SRG-OS-000002-GPOS-00002 - RHEL-08-020270 - SV-230374r903129_rule If emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all emergency accounts @@ -47550,7 +47562,9 @@ period of 72 hours. SRG-OS-000123-GPOS-00064 SRG-OS-000002-GPOS-00002 RHEL-08-020000 + RHEL-08-020270 SV-230331r627750_rule + SV-230374r903129_rule If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts @@ -183544,7 +183558,9 @@ above. Req-1.4 1.5.1 SRG-OS-000480-GPOS-00227 + RHEL-08-040090 3.4.1.5 + SV-230504r854047_rule In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. @@ -280135,16 +280151,16 @@ which the system will be deployed as closely as possible. - - + + - combine_ovals.py from SCAP Security Guide + Script combine_ovals.py from SCAP Security Guide ssg: [0, 1, 71], python: 3.10.12 5.11 - 2023-11-08T00:06:20 + 2023-11-09T00:08:19 - + Disable DHCP Client in ifcfg @@ -280154,11 +280170,11 @@ which the system will be deployed as closely as possible. - + - + Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs. @@ -280168,7 +280184,7 @@ which the system will be deployed as closely as possible. - + @@ -280176,7 +280192,7 @@ which the system will be deployed as closely as possible. - + Enable Logging of All FTP Transactions @@ -280189,7 +280205,7 @@ which the system will be deployed as closely as possible. - + @@ -280197,7 +280213,7 @@ which the system will be deployed as closely as possible. - + Create Warning Banners for All FTP Users @@ -280212,7 +280228,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on the /etc/httpd/conf/ Directory @@ -280226,7 +280242,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on the /var/log/httpd/ Directory @@ -280240,7 +280256,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/ @@ -280254,7 +280270,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on All Configuration Files Inside /etc/httpd/conf/ @@ -280268,7 +280284,7 @@ which the system will be deployed as closely as possible. - + Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/ @@ -280282,7 +280298,7 @@ which the system will be deployed as closely as possible. - + Disable Plaintext Authentication @@ -280296,7 +280312,7 @@ which the system will be deployed as closely as possible. - + Enable the SSL flag in /etc/dovecot.conf @@ -280310,7 +280326,7 @@ which the system will be deployed as closely as possible. - + Disable Kerberos by removing host keytab @@ -280320,11 +280336,11 @@ which the system will be deployed as closely as possible. - - + + - + Enable the LDAP Client For Use in Authconfig @@ -280334,11 +280350,11 @@ which the system will be deployed as closely as possible. - + - + Configure LDAP Client to Use TLS For All Transactions @@ -280353,7 +280369,7 @@ which the system will be deployed as closely as possible. - + Configure Certificate Directives for LDAP Use of TLS @@ -280368,7 +280384,7 @@ which the system will be deployed as closely as possible. - + Ensure Mail Transfer Agent is not Listening on any non-loopback Address @@ -280378,11 +280394,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure System to Forward All Mail For The Root Account @@ -280392,11 +280408,11 @@ which the system will be deployed as closely as possible. - + - + Configure System to Forward All Mail From Postmaster to The Root Account @@ -280406,11 +280422,11 @@ which the system will be deployed as closely as possible. - + - + Disable Postfix Network Listening @@ -280421,11 +280437,11 @@ which the system will be deployed as closely as possible. - + - + Configure SMTP Greeting Banner @@ -280439,7 +280455,7 @@ which the system will be deployed as closely as possible. - + Prevent Unrestricted Mail Relaying @@ -280456,7 +280472,7 @@ which the system will be deployed as closely as possible. - + Ensure Insecure File Locking is Not Allowed @@ -280466,11 +280482,11 @@ which the system will be deployed as closely as possible. - + - + Use Kerberos Security on All Exports @@ -280483,10 +280499,10 @@ which the system will be deployed as closely as possible. - + - + Disable chrony daemon from acting as server @@ -280498,11 +280514,11 @@ which the system will be deployed as closely as possible. - - + + - + Disable network management of chrony daemon @@ -280514,11 +280530,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure Time Service Maxpoll Interval @@ -280546,7 +280562,7 @@ which the system will be deployed as closely as possible. - + Specify Additional Remote NTP Servers @@ -280567,7 +280583,7 @@ which the system will be deployed as closely as possible. - + Specify a Remote NTP Server @@ -280588,7 +280604,7 @@ which the system will be deployed as closely as possible. - + Ensure that chronyd is running under chrony user account @@ -280602,7 +280618,7 @@ which the system will be deployed as closely as possible. - + Ensure Chrony is only configured with the server directive @@ -280612,12 +280628,12 @@ which the system will be deployed as closely as possible. - + - + A remote time server for Chrony is configured @@ -280628,11 +280644,11 @@ which the system will be deployed as closely as possible. - + - + Specify Additional Remote NTP Servers @@ -280641,11 +280657,11 @@ which the system will be deployed as closely as possible.Multiple ntpd NTP Servers for time synchronization should be specified. - + - + Specify a Remote NTP Server @@ -280655,11 +280671,11 @@ which the system will be deployed as closely as possible. - + - + Enable the NTP Daemon @@ -280674,7 +280690,7 @@ which the system will be deployed as closely as possible. - + Remove Host-Based Authentication Files @@ -280684,11 +280700,11 @@ which the system will be deployed as closely as possible. - + - + Remove Rsh Trust Files @@ -280699,12 +280715,12 @@ which the system will be deployed as closely as possible. - - - + + + - + Remove User Host-Based Authentication Files @@ -280714,11 +280730,11 @@ which the system will be deployed as closely as possible. - + - + Ensure tftp Daemon Uses Secure Mode @@ -280733,7 +280749,7 @@ which the system will be deployed as closely as possible. - + Disable Printer Browsing Entirely if Possible @@ -280752,7 +280768,7 @@ which the system will be deployed as closely as possible. - + Disable Print Server Capabilities @@ -280772,7 +280788,7 @@ which the system will be deployed as closely as possible. - + Require Client SMB Packet Signing, if using mount.cifs @@ -280799,7 +280815,7 @@ which the system will be deployed as closely as possible. - + Require Client SMB Packet Signing, if using smbclient @@ -280818,7 +280834,7 @@ which the system will be deployed as closely as possible. - + Ensure Default SNMP Password Is Not Used @@ -280827,11 +280843,11 @@ which the system will be deployed as closely as possible.SNMP default communities must be removed. - + - + Configure SNMP Service to Use Only SNMPv3 or Newer @@ -280846,7 +280862,7 @@ which the system will be deployed as closely as possible. - + Verify Permissions on SSH Server Private *_key Key Files @@ -280860,7 +280876,7 @@ which the system will be deployed as closely as possible. - + Remove SSH Server firewalld Firewall exception (Unusual) @@ -280877,7 +280893,7 @@ which the system will be deployed as closely as possible. - + Configure session renegotiation for SSH client @@ -280888,11 +280904,11 @@ which the system will be deployed as closely as possible. - + - + SSH client uses strong entropy to seed (for CSH like shells) @@ -280907,7 +280923,7 @@ which the system will be deployed as closely as possible. - + SSH client uses strong entropy to seed (Bash-like shells) @@ -280922,7 +280938,7 @@ which the system will be deployed as closely as possible. - + Enable SSH Server firewalld Firewall Exception @@ -280948,7 +280964,7 @@ which the system will be deployed as closely as possible. - + Allow Only SSH Protocol 2 @@ -280973,7 +280989,7 @@ which the system will be deployed as closely as possible. - + Disable Compression Or Set Compression to delayed @@ -280995,7 +281011,7 @@ which the system will be deployed as closely as possible. - + Disable SSH Support for Rhosts RSA Authentication @@ -281016,12 +281032,12 @@ which the system will be deployed as closely as possible. - + - + Limit Users' SSH Access @@ -281038,7 +281054,7 @@ which the system will be deployed as closely as possible. - + Force frequent session key renegotiation @@ -281062,7 +281078,7 @@ which the system will be deployed as closely as possible. - + Set SSH Client Alive Interval @@ -281087,7 +281103,7 @@ which the system will be deployed as closely as possible. - + Set SSH Client Alive Count Max @@ -281098,21 +281114,21 @@ which the system will be deployed as closely as possible. - - - - + + + + - - - - - + + + + + - + Ensure SSH LoginGraceTime is configured @@ -281135,7 +281151,7 @@ which the system will be deployed as closely as possible. - + Set SSH authentication attempt limit @@ -281158,7 +281174,7 @@ which the system will be deployed as closely as possible. - + Set SSH MaxSessions limit @@ -281181,7 +281197,7 @@ which the system will be deployed as closely as possible. - + Ensure SSH MaxStartups is configured @@ -281198,13 +281214,13 @@ which the system will be deployed as closely as possible. - - - + + + - + Use Only FIPS 140-2 Validated Ciphers @@ -281229,7 +281245,7 @@ which the system will be deployed as closely as possible. - + Use Only FIPS 140-2 Validated Key Exchange Algorithms @@ -281254,7 +281270,7 @@ which the system will be deployed as closely as possible. - + Use Only FIPS 140-2 Validated MACs @@ -281279,7 +281295,7 @@ which the system will be deployed as closely as possible. - + Enable Use of Privilege Separation @@ -281297,7 +281313,7 @@ which the system will be deployed as closely as possible. - + Certificate status checking in SSSD @@ -281308,11 +281324,11 @@ which the system will be deployed as closely as possible. - + - + Configure PAM in SSSD Services @@ -281323,11 +281339,11 @@ which the system will be deployed as closely as possible. - + - + Enable Smartcards in SSSD @@ -281344,7 +281360,7 @@ which the system will be deployed as closely as possible. - + Configure SSSD's Memory Cache to Expire @@ -281358,7 +281374,7 @@ which the system will be deployed as closely as possible. - + Configure SSSD to Expire Offline Credentials @@ -281373,7 +281389,7 @@ which the system will be deployed as closely as possible. - + Configure SSSD to run as user sssd @@ -281383,11 +281399,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSSD to Expire SSH Known Hosts @@ -281401,7 +281417,7 @@ which the system will be deployed as closely as possible. - + Configure SSSD LDAP Backend Client CA Certificate Location @@ -281411,11 +281427,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server @@ -281425,11 +281441,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSSD LDAP Backend to Use TLS For All Transactions @@ -281439,11 +281455,11 @@ which the system will be deployed as closely as possible. - + - + Log USBGuard daemon audit events using Linux Audit @@ -281460,7 +281476,7 @@ which the system will be deployed as closely as possible. - + Authorize Human Interface Devices in USBGuard daemon @@ -281474,7 +281490,7 @@ which the system will be deployed as closely as possible. - + Authorize Human Interface Devices and USB hubs in USBGuard daemon @@ -281488,7 +281504,7 @@ which the system will be deployed as closely as possible. - + Authorize USB hubs in USBGuard daemon @@ -281502,7 +281518,7 @@ which the system will be deployed as closely as possible. - + Generate USBGuard Policy @@ -281516,7 +281532,7 @@ which the system will be deployed as closely as possible. - + Disable graphical user interface @@ -281526,14 +281542,14 @@ which the system will be deployed as closely as possible. - + - + Disable X Windows Startup By Setting Default Target @@ -281543,11 +281559,11 @@ which the system will be deployed as closely as possible. - + - + Enable authselect @@ -281557,7 +281573,7 @@ which the system will be deployed as closely as possible. - + @@ -281565,7 +281581,7 @@ which the system will be deployed as closely as possible. - + Modify the System Login Banner @@ -281575,11 +281591,11 @@ which the system will be deployed as closely as possible. - + - + Modify the System Login Banner for Remote Connections @@ -281589,11 +281605,11 @@ which the system will be deployed as closely as possible. - - + + - + Modify the System Message of the Day Banner @@ -281603,11 +281619,11 @@ which the system will be deployed as closely as possible. - + - + Enable GNOME3 Login Warning Banner @@ -281618,7 +281634,7 @@ which the system will be deployed as closely as possible. - + @@ -281626,7 +281642,7 @@ which the system will be deployed as closely as possible. - + Set the GNOME3 Login Warning Banner Text @@ -281637,7 +281653,7 @@ which the system will be deployed as closely as possible. - + @@ -281645,7 +281661,7 @@ which the system will be deployed as closely as possible. - + Disallow Configuration to Bypass Password Requirements for Privilege Escalation @@ -281655,11 +281671,11 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Displays Last Logon/Access Notification @@ -281669,11 +281685,11 @@ which the system will be deployed as closely as possible. - - + + - + Set Up a Private Namespace in PAM Configuration @@ -281683,11 +281699,11 @@ which the system will be deployed as closely as possible. - + - + An SELinux Context must be configured for the pam_faillock.so records directory @@ -281698,11 +281714,11 @@ which the system will be deployed as closely as possible. - - + + - + Account Lockouts Must Be Logged @@ -281712,20 +281728,20 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - + + + + - + Limit Password Reuse: password-auth @@ -281735,21 +281751,21 @@ which the system will be deployed as closely as possible. - - - - - - + + + + + + - - - + + + - + Limit Password Reuse: system-auth @@ -281759,21 +281775,21 @@ which the system will be deployed as closely as possible. - - - - - - + + + + + + - - - + + + - + Limit Password Reuse @@ -281783,24 +281799,24 @@ which the system will be deployed as closely as possible. - - - - - - - + + + + + + + - - - + + + - + - + Account Lockouts Must Be Logged @@ -281810,20 +281826,20 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - + + + + - + Lock Accounts After Failed Password Attempts @@ -281833,34 +281849,34 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - + Configure the root Account for Failed Password Attempts @@ -281871,34 +281887,34 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - + Lock Accounts Must Persist @@ -281908,20 +281924,20 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - + + + + - + Enforce pam_faillock for Local Accounts Only @@ -281931,23 +281947,23 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - + - + Set Interval For Counting Failed Password Attempts @@ -281957,34 +281973,34 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - + Do Not Show System Messages When Unsuccessful Logon Attempts Occur @@ -281994,19 +282010,19 @@ which the system will be deployed as closely as possible. - - - - + + + + - - - - + + + + - + Set Lockout Time for Failed Password Attempts @@ -282016,34 +282032,34 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - + + + + - + Ensure PAM password complexity module is enabled in password-auth @@ -282053,11 +282069,11 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM password complexity module is enabled in system-auth @@ -282067,11 +282083,11 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session @@ -282081,19 +282097,19 @@ which the system will be deployed as closely as possible. - - + + - + - + Set Password Hashing Algorithm in /etc/libuser.conf @@ -282107,7 +282123,7 @@ which the system will be deployed as closely as possible. - + Set Password Hashing Algorithm in /etc/login.defs @@ -282121,7 +282137,7 @@ which the system will be deployed as closely as possible. - + Set PAM''s Password Hashing Algorithm - password-auth @@ -282135,7 +282151,7 @@ which the system will be deployed as closely as possible. - + Set PAM''s Password Hashing Algorithm @@ -282149,7 +282165,7 @@ which the system will be deployed as closely as possible. - + Set Password Hashing Minimum Rounds in /etc/login.defs @@ -282166,12 +282182,12 @@ which the system will be deployed as closely as possible. - + - + Disable Ctrl-Alt-Del Burst Action @@ -282183,11 +282199,11 @@ which the system will be deployed as closely as possible. - + - + Disable Ctrl-Alt-Del Reboot Activation @@ -282198,11 +282214,11 @@ which the system will be deployed as closely as possible. - + - + Verify that Interactive Boot is Disabled @@ -282214,14 +282230,14 @@ which the system will be deployed as closely as possible. - + - - + + - + Configure Logind to terminate idle sessions after certain time of inactivity @@ -282236,7 +282252,7 @@ which the system will be deployed as closely as possible. - + Require Authentication for Emergency Systemd Target @@ -282250,11 +282266,11 @@ which the system will be deployed as closely as possible. - - + + - + Require Authentication for Single User Mode @@ -282269,7 +282285,7 @@ which the system will be deployed as closely as possible. - + Support session locking with tmux @@ -282283,7 +282299,7 @@ which the system will be deployed as closely as possible. - + Support session locking with tmux (not enforcing) @@ -282297,7 +282313,7 @@ which the system will be deployed as closely as possible. - + Configure tmux to lock session after inactivity @@ -282312,7 +282328,7 @@ which the system will be deployed as closely as possible. - + Configure the tmux Lock Command @@ -282327,7 +282343,7 @@ which the system will be deployed as closely as possible. - + Configure the tmux lock session key binding @@ -282342,7 +282358,7 @@ which the system will be deployed as closely as possible. - + Prevent user from disabling the screen lock @@ -282356,7 +282372,7 @@ which the system will be deployed as closely as possible. - + Configure opensc Smart Card Drivers @@ -282367,11 +282383,11 @@ which the system will be deployed as closely as possible. - - + + - + Force opensc To Use Defined Smart Card Driver @@ -282382,11 +282398,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All Accounts on the System Have Unique User IDs @@ -282396,11 +282412,11 @@ which the system will be deployed as closely as possible. - + - + Only Authorized Local User Accounts Exist on Operating System @@ -282411,11 +282427,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All Groups on the System Have Unique Group ID @@ -282425,11 +282441,11 @@ which the system will be deployed as closely as possible. - + - + Ensure All Groups on the System Have Unique Group Names @@ -282439,11 +282455,11 @@ which the system will be deployed as closely as possible. - + - + Set Account Expiration Following Inactivity @@ -282453,11 +282469,11 @@ which the system will be deployed as closely as possible. - + - + Ensure All Accounts on the System Have Unique Names @@ -282467,11 +282483,11 @@ which the system will be deployed as closely as possible. - + - + Set Password Maximum Age @@ -282481,11 +282497,11 @@ which the system will be deployed as closely as possible. - + - + Set Password Minimum Age @@ -282495,11 +282511,11 @@ which the system will be deployed as closely as possible. - + - + Set Password Minimum Length in login.defs @@ -282513,7 +282529,7 @@ which the system will be deployed as closely as possible. - + Set Existing Passwords Maximum Age @@ -282524,12 +282540,12 @@ which the system will be deployed as closely as possible. - - - + + + - + Set Existing Passwords Minimum Age @@ -282540,12 +282556,12 @@ which the system will be deployed as closely as possible. - - - + + + - + Set Existing Passwords Warning Age @@ -282556,11 +282572,11 @@ which the system will be deployed as closely as possible. - - + + - + Set Password Warning Age @@ -282570,11 +282586,11 @@ which the system will be deployed as closely as possible. - + - + Set existing passwords a period of inactivity before they been locked @@ -282585,11 +282601,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify All Account Password Hashes are Shadowed @@ -282599,11 +282615,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify All Account Password Hashes are Shadowed with SHA512 @@ -282613,11 +282629,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure all users last password change date is in the past @@ -282628,11 +282644,11 @@ which the system will be deployed as closely as possible. - - + + - + Set number of Password Hashing Rounds - password-auth @@ -282650,7 +282666,7 @@ which the system will be deployed as closely as possible. - + Set number of Password Hashing Rounds - system-auth @@ -282668,7 +282684,7 @@ which the system will be deployed as closely as possible. - + All GIDs referenced in /etc/passwd must be defined in /etc/group @@ -282678,11 +282694,11 @@ which the system will be deployed as closely as possible. - + - + Prevent Login to Accounts With Empty Password @@ -282692,11 +282708,11 @@ which the system will be deployed as closely as possible. - + - + Ensure There Are No Accounts With Blank or Null Passwords @@ -282706,11 +282722,11 @@ which the system will be deployed as closely as possible. - + - + Verify No .forward Files Exist @@ -282720,11 +282736,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure there are no legacy + NIS entries in /etc/group @@ -282734,11 +282750,11 @@ which the system will be deployed as closely as possible. - + - + Ensure there are no legacy + NIS entries in /etc/passwd @@ -282748,11 +282764,11 @@ which the system will be deployed as closely as possible. - + - + Ensure there are no legacy + NIS entries in /etc/shadow @@ -282762,11 +282778,11 @@ which the system will be deployed as closely as possible. - + - + Verify No netrc Files Exist @@ -282776,11 +282792,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify Only Root Has UID 0 @@ -282790,11 +282806,11 @@ which the system will be deployed as closely as possible. - + - + Verify Root Has A Primary GID 0 @@ -282804,11 +282820,11 @@ which the system will be deployed as closely as possible. - + - + Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty @@ -282823,7 +282839,7 @@ which the system will be deployed as closely as possible. - + Direct root Logins Not Allowed @@ -282839,7 +282855,7 @@ which the system will be deployed as closely as possible. - + Ensure that System Accounts Are Locked @@ -282849,11 +282865,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure that System Accounts Do Not Run a Shell Upon Login @@ -282871,14 +282887,14 @@ which the system will be deployed as closely as possible. - - + + - + Restrict Serial Port Root Logins @@ -282890,11 +282906,11 @@ which the system will be deployed as closely as possible. - - + + - + Restrict Virtual Console Root Logins @@ -282906,11 +282922,11 @@ which the system will be deployed as closely as possible. - + - + Enforce usage of pam_wheel for su authentication @@ -282924,7 +282940,7 @@ which the system will be deployed as closely as possible. - + Enforce Usage of pam_wheel with Group Parameter for su Authentication @@ -282938,7 +282954,7 @@ which the system will be deployed as closely as possible. - + Ensure Home Directories are Created for New Users @@ -282952,7 +282968,7 @@ which the system will be deployed as closely as possible. - + Ensure the Logon Failure Delay is Set Correctly in login.defs @@ -282963,11 +282979,11 @@ which the system will be deployed as closely as possible. - + - + Limit the Number of Concurrent Login Sessions Allowed Per User @@ -282981,12 +282997,12 @@ which the system will be deployed as closely as possible. - + - + Configure Polyinstantiation of /tmp Directories @@ -282996,12 +283012,12 @@ which the system will be deployed as closely as possible. - + - + Configure Polyinstantiation of /var/tmp Directories @@ -283011,12 +283027,12 @@ which the system will be deployed as closely as possible. - + - + Set Interactive Session Timeout @@ -283032,7 +283048,7 @@ which the system will be deployed as closely as possible. - + User Initialization Files Must Be Group-Owned By The Primary Group @@ -283041,11 +283057,11 @@ which the system will be deployed as closely as possible.User Initialization Files Must Be Group-Owned By The Primary Group - - + + - + User Initialization Files Must Not Run World-Writable Programs @@ -283056,10 +283072,10 @@ which the system will be deployed as closely as possible. - + - + User Initialization Files Must Be Owned By the Primary User @@ -283068,11 +283084,11 @@ which the system will be deployed as closely as possible.User Initialization Files Must Be Owned By the Primary User - - + + - + All Interactive Users Must Have A Home Directory Defined @@ -283082,11 +283098,11 @@ which the system will be deployed as closely as possible. - - + + - + All Interactive Users Home Directories Must Exist @@ -283097,11 +283113,11 @@ which the system will be deployed as closely as possible. - - + + - + All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group @@ -283111,11 +283127,11 @@ which the system will be deployed as closely as possible. - - + + - + All User Files and Directories In The Home Directory Must Have a Valid Owner @@ -283124,11 +283140,11 @@ which the system will be deployed as closely as possible.All User Files and Directories In The Home Directory Must Have a Valid Owner - - + + - + All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive @@ -283139,11 +283155,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure users' .netrc Files are not group or world accessible @@ -283154,11 +283170,11 @@ which the system will be deployed as closely as possible. - - + + - + All Interactive User Home Directories Must Be Group-Owned By The Primary Group @@ -283168,11 +283184,11 @@ which the system will be deployed as closely as possible. - - + + - + All Interactive User Home Directories Must Be Owned By The Primary User @@ -283183,11 +283199,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All User Initialization Files Have Mode 0740 Or Less Permissive @@ -283197,11 +283213,11 @@ which the system will be deployed as closely as possible. - + - + All Interactive User Home Directories Must Have mode 0750 Or Less Permissive @@ -283211,11 +283227,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure that User Home Directories are not Group-Writable or World-Readable @@ -283225,11 +283241,11 @@ which the system will be deployed as closely as possible. - + - + Ensure that Root's Path Does Not Include World or Group-Writable Directories @@ -283240,11 +283256,11 @@ which the system will be deployed as closely as possible. - + - + Ensure that Root's Path Does Not Include Relative Paths or Null Directories @@ -283264,7 +283280,7 @@ which the system will be deployed as closely as possible. - + Ensure the Default Bash Umask is Set Correctly @@ -283279,7 +283295,7 @@ which the system will be deployed as closely as possible. - + Ensure the Default C Shell Umask is Set Correctly @@ -283294,7 +283310,7 @@ which the system will be deployed as closely as possible. - + Ensure the Default Umask is Set Correctly in login.defs @@ -283309,7 +283325,7 @@ which the system will be deployed as closely as possible. - + Ensure the Default Umask is Set Correctly in /etc/profile @@ -283320,11 +283336,11 @@ which the system will be deployed as closely as possible. - + - + Ensure the Default Umask is Set Correctly For Interactive Users @@ -283334,11 +283350,11 @@ which the system will be deployed as closely as possible. - - + + - + Enable Syscall Auditing @@ -283358,7 +283374,7 @@ which the system will be deployed as closely as possible. - + Make the auditd Configuration Immutable @@ -283379,7 +283395,7 @@ which the system will be deployed as closely as possible. - + Configure immutable Audit login UIDs @@ -283400,7 +283416,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify the System's Mandatory Access Controls @@ -283421,7 +283437,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify the System's Mandatory Access Controls in usr/share @@ -283434,16 +283450,16 @@ which the system will be deployed as closely as possible. - - + + - - + + - + Record Events that Modify the System's Network Environment @@ -283475,7 +283491,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to Alter Process and Session Initiation Information @@ -283500,7 +283516,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects System Administrator Actions - /etc/sudoers @@ -283521,7 +283537,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ @@ -283542,7 +283558,7 @@ which the system will be deployed as closely as possible. - + Record Events When Executables Are Run As Another User @@ -283565,7 +283581,7 @@ which the system will be deployed as closely as possible. - + Record Events When Privileged Executables Are Run @@ -283592,7 +283608,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects System Administrator Actions @@ -283615,7 +283631,7 @@ which the system will be deployed as closely as possible. - + Shutdown System When Auditing Failures Occur @@ -283636,7 +283652,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information @@ -283665,7 +283681,7 @@ which the system will be deployed as closely as possible. - + Record Access Events to Audit Log Directory @@ -283686,7 +283702,7 @@ which the system will be deployed as closely as possible. - + System Audit Directories Must Be Group Owned By Root @@ -283697,21 +283713,21 @@ which the system will be deployed as closely as possible. - - + + - + - + - + System Audit Directories Must Be Owned By Root @@ -283722,17 +283738,17 @@ which the system will be deployed as closely as possible. - - + + - + - + System Audit Logs Must Have Mode 0750 or Less Permissive @@ -283743,17 +283759,17 @@ which the system will be deployed as closely as possible. - - - + + + - + - + - + System Audit Logs Must Be Group Owned By Root @@ -283764,14 +283780,14 @@ which the system will be deployed as closely as possible. - - + + - + @@ -283780,7 +283796,7 @@ which the system will be deployed as closely as possible. - + System Audit Logs Must Be Owned By Root @@ -283791,18 +283807,18 @@ which the system will be deployed as closely as possible. - + - + - + System Audit Logs Must Be Owned By Root @@ -283813,17 +283829,17 @@ which the system will be deployed as closely as possible. - - + + - + - + System Audit Logs Must Have Mode 0640 or Less Permissive @@ -283834,17 +283850,17 @@ which the system will be deployed as closely as possible. - - - + + + - + - + - + Record Events that Modify the System's Discretionary Access Controls - umount @@ -283864,7 +283880,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects File Deletion Events by User @@ -283882,7 +283898,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) @@ -283901,7 +283917,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on Kernel Module Loading and Unloading @@ -283917,7 +283933,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on Kernel Module Unloading - create_module @@ -283932,7 +283948,7 @@ which the system will be deployed as closely as possible. - + @@ -283940,13 +283956,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on Kernel Module Unloading - delete_module @@ -283961,7 +283977,7 @@ which the system will be deployed as closely as possible. - + @@ -283969,13 +283985,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module @@ -283990,7 +284006,7 @@ which the system will be deployed as closely as possible. - + @@ -283998,13 +284014,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on Kernel Module Loading - init_module @@ -284019,7 +284035,7 @@ which the system will be deployed as closely as possible. - + @@ -284027,13 +284043,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module @@ -284048,7 +284064,7 @@ which the system will be deployed as closely as possible. - + @@ -284056,13 +284072,13 @@ which the system will be deployed as closely as possible. - + - + Record Attempts to Alter Logon and Logout Events @@ -284078,7 +284094,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands @@ -284090,18 +284106,18 @@ which the system will be deployed as closely as possible. - - - + + + - - - + + + - + Ensure auditd Collects Information on the Use of Privileged Commands - kmod @@ -284122,7 +284138,7 @@ which the system will be deployed as closely as possible. - + Record attempts to alter time through adjtimex @@ -284137,7 +284153,7 @@ which the system will be deployed as closely as possible. - + @@ -284145,13 +284161,13 @@ which the system will be deployed as closely as possible. - + - + Record Attempts to Alter Time Through clock_settime @@ -284166,7 +284182,7 @@ which the system will be deployed as closely as possible. - + @@ -284174,13 +284190,13 @@ which the system will be deployed as closely as possible. - + - + Record attempts to alter time through settimeofday @@ -284195,7 +284211,7 @@ which the system will be deployed as closely as possible. - + @@ -284203,13 +284219,13 @@ which the system will be deployed as closely as possible. - + - + Record Attempts to Alter Time Through stime @@ -284238,7 +284254,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to Alter the localtime File @@ -284259,7 +284275,7 @@ which the system will be deployed as closely as possible. - + Configure audispd Plugin To Send Logs To Remote Server @@ -284269,11 +284285,11 @@ which the system will be deployed as closely as possible. - + - + Configure audispd's Plugin disk_full_action When Disk Is Full @@ -284282,11 +284298,11 @@ which the system will be deployed as closely as possible.remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname - + - + Encrypt Audit Records Sent With audispd Plugin @@ -284296,11 +284312,11 @@ which the system will be deployed as closely as possible. - + - + Configure audispd's Plugin network_failure_action On Network Failure @@ -284309,11 +284325,11 @@ which the system will be deployed as closely as possible.remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname - + - + Configure auditd to use audispd's syslog plugin @@ -284323,11 +284339,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd Disk Error Action on Disk Error @@ -284337,11 +284353,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd Disk Error Action on Disk Error @@ -284356,7 +284372,7 @@ which the system will be deployed as closely as possible. - + Configure auditd Disk Full Action when Disk Space Is Full @@ -284366,11 +284382,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd Disk Full Action when Disk Space Is Full @@ -284385,7 +284401,7 @@ which the system will be deployed as closely as possible. - + Configure auditd mail_acct Action on Low Disk Space @@ -284395,11 +284411,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd admin_space_left Action on Low Disk Space @@ -284409,11 +284425,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd admin_space_left on Low Disk Space @@ -284422,11 +284438,11 @@ which the system will be deployed as closely as possible.admin_space_left setting in /etc/audit/auditd.conf is set to at least a certain value - + - + Configure auditd flush priority @@ -284436,11 +284452,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd Max Log File Size @@ -284450,11 +284466,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd max_log_file_action Upon Reaching Maximum Log Size @@ -284464,11 +284480,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd max_log_file_action Upon Reaching Maximum Log Size @@ -284482,7 +284498,7 @@ which the system will be deployed as closely as possible. - + Configure auditd Number of Logs Retained @@ -284492,11 +284508,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd space_left on Low Disk Space @@ -284506,11 +284522,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd space_left Action on Low Disk Space @@ -284520,11 +284536,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditd space_left on Low Disk Space @@ -284534,11 +284550,11 @@ which the system will be deployed as closely as possible. - + - + Set type of computer node name logging in audit logs @@ -284552,7 +284568,7 @@ which the system will be deployed as closely as possible. - + Appropriate Action Must be Setup When the Internal Audit Event Queue is Full @@ -284566,7 +284582,7 @@ which the system will be deployed as closely as possible. - + Configure audit according to OSPP requirements @@ -284583,7 +284599,7 @@ which the system will be deployed as closely as possible. - + Disable Recovery Booting @@ -284594,10 +284610,10 @@ which the system will be deployed as closely as possible. - + - + Configure kernel to trust the CPU random number generator @@ -284610,12 +284626,12 @@ which the system will be deployed as closely as possible. - + - + Set the Boot Loader Admin Username to a Non-Default Value @@ -284629,7 +284645,7 @@ which the system will be deployed as closely as possible. - + Boot Loader Is Not Installed On Removeable Media @@ -284646,7 +284662,7 @@ which the system will be deployed as closely as possible. - + Set Boot Loader Password in grub2 @@ -284660,7 +284676,7 @@ which the system will be deployed as closely as possible. - + Set the UEFI Boot Loader Admin Username to a Non-Default Value @@ -284674,7 +284690,7 @@ which the system will be deployed as closely as possible. - + Set the UEFI Boot Loader Password @@ -284688,7 +284704,7 @@ which the system will be deployed as closely as possible. - + UEFI Boot Loader Is Not Installed On Removeable Media @@ -284705,7 +284721,7 @@ which the system will be deployed as closely as possible. - + Ensure all zIPL boot entries are BLS compliant @@ -284716,10 +284732,10 @@ which the system will be deployed as closely as possible. - + - + Ensure zIPL bootmap is up to date @@ -284730,10 +284746,10 @@ which the system will be deployed as closely as possible. - + - + Ensure debug-shell service is not enabled in zIPL @@ -284743,11 +284759,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure rsyslog Default File Permissions Configured @@ -284758,11 +284774,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure Logwatch HostLimit Line @@ -284775,7 +284791,7 @@ which the system will be deployed as closely as possible. - + Configure Logwatch SplitHosts Line @@ -284784,11 +284800,11 @@ which the system will be deployed as closely as possible.Check if SplitHosts line in logwatch.conf is set appropriately. - + - + Ensure cron Is Logging To Rsyslog @@ -284803,7 +284819,7 @@ which the system will be deployed as closely as possible. - + Ensure Rsyslog Authenticates Off-Loaded Audit Records @@ -284820,7 +284836,7 @@ which the system will be deployed as closely as possible. - + Ensure Rsyslog Encrypts Off-Loaded Audit Records @@ -284837,7 +284853,7 @@ which the system will be deployed as closely as possible. - + Ensure Rsyslog Encrypts Off-Loaded Audit Records @@ -284854,7 +284870,7 @@ which the system will be deployed as closely as possible. - + Ensure logging is configured @@ -284870,7 +284886,7 @@ which the system will be deployed as closely as possible. - + Ensure remote access methods are monitored in Rsyslog @@ -284886,7 +284902,7 @@ which the system will be deployed as closely as possible. - + Ensure Logrotate Runs Periodically @@ -284907,7 +284923,7 @@ which the system will be deployed as closely as possible. - + Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server @@ -284918,11 +284934,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure Logs Sent To Remote Host @@ -284937,7 +284953,7 @@ which the system will be deployed as closely as possible. - + Configure TLS for rsyslog remote logging @@ -284951,7 +284967,7 @@ which the system will be deployed as closely as possible. - + Configure CA certificate for rsyslog remote logging @@ -284965,7 +284981,7 @@ which the system will be deployed as closely as possible. - + Configure Multiple DNS Servers in /etc/resolv.conf @@ -284982,12 +284998,12 @@ which the system will be deployed as closely as possible. - + - + Disable Client Dynamic DNS Updates @@ -285003,7 +285019,7 @@ which the system will be deployed as closely as possible. - + Disable Zeroconf Networking @@ -285013,11 +285029,11 @@ which the system will be deployed as closely as possible. - + - + Prevent non-Privileged Users from Modifying Network Interfaces using nmcli @@ -285027,11 +285043,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure System is Not Acting as a Network Sniffer @@ -285041,25 +285057,11 @@ which the system will be deployed as closely as possible. - - - - - - - Set Default firewalld Zone for Incoming Packets - - Red Hat Enterprise Linux 8 - - Change the default firewalld zone to drop. - - - - - + + - + Manually Assign IPv6 Router Address @@ -285073,7 +285075,7 @@ which the system will be deployed as closely as possible. - + Use Privacy Extensions for Address @@ -285087,7 +285089,7 @@ which the system will be deployed as closely as possible. - + Manually Assign Global IPv6 Address @@ -285102,7 +285104,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Networking Support Automatic Loading @@ -285112,11 +285114,11 @@ which the system will be deployed as closely as possible. - - + + - + Disable Support for RPC IPv6 @@ -285130,7 +285132,7 @@ which the system will be deployed as closely as possible. - + Deactivate Wireless Network Interfaces @@ -285140,11 +285142,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All World-Writable Directories Are Owned by root User @@ -285154,11 +285156,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify that All World-Writable Directories Have Sticky Bits Set @@ -285168,11 +285170,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure All World-Writable Directories Are Owned by a System Account @@ -285181,11 +285183,11 @@ which the system will be deployed as closely as possible.All world writable directories should be owned by a system user. - + - + Ensure All World-Writable Directories Are Group Owned by a System Account @@ -285195,11 +285197,11 @@ which the system will be deployed as closely as possible. - + - + Verify that local System.map file (if exists) is readable only by root @@ -285225,7 +285227,7 @@ which the system will be deployed as closely as possible. - + @@ -285239,11 +285241,11 @@ which the system will be deployed as closely as possible. - + - + Ensure No World-Writable Files Exist @@ -285253,11 +285255,11 @@ which the system will be deployed as closely as possible. - + - + Ensure All Files Are Owned by a Group @@ -285267,11 +285269,11 @@ which the system will be deployed as closely as possible. - + - + Ensure All Files Are Owned by a User @@ -285281,11 +285283,11 @@ which the system will be deployed as closely as possible. - + - + Verify that system commands files are group owned by root or a system account @@ -285298,11 +285300,11 @@ which the system will be deployed as closely as possible. - + - + Verify that System Executables Have Root Ownership @@ -285320,7 +285322,7 @@ which the system will be deployed as closely as possible. - + Verify that System Executables Have Restrictive Permissions @@ -285337,7 +285339,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Support for USB via Bootloader Configuration @@ -285350,7 +285352,7 @@ which the system will be deployed as closely as possible. - + Add nodev Option to Non-Root Local Partitions @@ -285364,11 +285366,11 @@ which the system will be deployed as closely as possible. - - + + - + Bind Mount /var/tmp To /tmp @@ -285388,7 +285390,7 @@ which the system will be deployed as closely as possible. - + Disable core dump backtraces @@ -285403,7 +285405,7 @@ which the system will be deployed as closely as possible. - + Disable storing core dump @@ -285418,7 +285420,7 @@ which the system will be deployed as closely as possible. - + Disable Core Dumps for All Users @@ -285431,12 +285433,12 @@ which the system will be deployed as closely as possible. - + - + Set Daemon Umask @@ -285450,7 +285452,7 @@ which the system will be deployed as closely as possible. - + Enable ExecShield via sysctl @@ -285467,7 +285469,7 @@ which the system will be deployed as closely as possible. - + Enable NX or XD Support in the BIOS @@ -285482,7 +285484,7 @@ which the system will be deployed as closely as possible. - + Install PAE Kernel on Supported 32-bit x86 Systems @@ -285494,9 +285496,9 @@ which the system will be deployed as closely as possible. - + - + @@ -285505,7 +285507,7 @@ which the system will be deployed as closely as possible. - + Ensure SELinux Not Disabled in /etc/default/grub @@ -285518,12 +285520,12 @@ which the system will be deployed as closely as possible. - - - + + + - + Ensure No Device Files are Unlabeled by SELinux @@ -285538,7 +285540,7 @@ which the system will be deployed as closely as possible. - + Ensure No Daemons are Unconfined by SELinux @@ -285548,11 +285550,11 @@ which the system will be deployed as closely as possible. - + - + Ensure SELinux is Not Disabled @@ -285563,10 +285565,10 @@ which the system will be deployed as closely as possible. - + - + Configure SELinux Policy @@ -285576,11 +285578,11 @@ which the system will be deployed as closely as possible. - + - + Ensure SELinux State is Enforcing @@ -285594,7 +285596,7 @@ which the system will be deployed as closely as possible. - + Prefer to use a 64-bit Operating System when supported @@ -285609,10 +285611,10 @@ which the system will be deployed as closely as possible. - + - + Make sure that the dconf databases are up-to-date with regards to respective keyfiles @@ -285623,7 +285625,7 @@ which the system will be deployed as closely as possible. - + @@ -285636,7 +285638,7 @@ which the system will be deployed as closely as possible. - + Configure GNOME3 DConf User Profile @@ -285646,11 +285648,11 @@ which the system will be deployed as closely as possible. - + - + Disable the GNOME3 Login Restart and Shutdown Buttons @@ -285660,7 +285662,7 @@ which the system will be deployed as closely as possible. - + @@ -285668,7 +285670,7 @@ which the system will be deployed as closely as possible. - + Disable the GNOME3 Login User List @@ -285679,7 +285681,7 @@ which the system will be deployed as closely as possible. - + @@ -285687,7 +285689,7 @@ which the system will be deployed as closely as possible. - + Enable the GNOME3 Login Smartcard Authentication @@ -285697,7 +285699,7 @@ which the system will be deployed as closely as possible. - + @@ -285705,7 +285707,7 @@ which the system will be deployed as closely as possible. - + Set the GNOME3 Login Number of Failures @@ -285716,7 +285718,7 @@ which the system will be deployed as closely as possible. - + @@ -285724,7 +285726,7 @@ which the system will be deployed as closely as possible. - + Disable GDM Automatic Login @@ -285736,11 +285738,11 @@ which the system will be deployed as closely as possible. - + - + Disable GDM Guest Login @@ -285752,11 +285754,11 @@ which the system will be deployed as closely as possible. - + - + Disable XDMCP in GDM @@ -285773,7 +285775,7 @@ which the system will be deployed as closely as possible. - + Disable GNOME3 automount @@ -285786,7 +285788,7 @@ which the system will be deployed as closely as possible. - + @@ -285794,7 +285796,7 @@ which the system will be deployed as closely as possible. - + Disable GNOME3 automount-open @@ -285807,7 +285809,7 @@ which the system will be deployed as closely as possible. - + @@ -285815,7 +285817,7 @@ which the system will be deployed as closely as possible. - + Disable GNOME3 autorun @@ -285828,7 +285830,7 @@ which the system will be deployed as closely as possible. - + @@ -285836,7 +285838,7 @@ which the system will be deployed as closely as possible. - + Disable All GNOME3 Thumbnailers @@ -285849,7 +285851,7 @@ which the system will be deployed as closely as possible. - + @@ -285857,7 +285859,7 @@ which the system will be deployed as closely as possible. - + Disable WIFI Network Connection Creation in GNOME3 @@ -285867,7 +285869,7 @@ which the system will be deployed as closely as possible. - + @@ -285875,7 +285877,7 @@ which the system will be deployed as closely as possible. - + Disable WIFI Network Notification in GNOME3 @@ -285885,7 +285887,7 @@ which the system will be deployed as closely as possible. - + @@ -285893,7 +285895,7 @@ which the system will be deployed as closely as possible. - + Require Credential Prompting for Remote Access in GNOME3 @@ -285904,7 +285906,7 @@ which the system will be deployed as closely as possible. - + @@ -285912,7 +285914,7 @@ which the system will be deployed as closely as possible. - + Require Encryption for Remote Access in GNOME3 @@ -285923,7 +285925,7 @@ which the system will be deployed as closely as possible. - + @@ -285931,7 +285933,7 @@ which the system will be deployed as closely as possible. - + Enable GNOME3 Screensaver Idle Activation @@ -285942,7 +285944,7 @@ which the system will be deployed as closely as possible. - + @@ -285950,7 +285952,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Cannot Change GNOME3 Screensaver Idle Activation @@ -285961,14 +285963,14 @@ which the system will be deployed as closely as possible. - + - + Set GNOME3 Screensaver Inactivity Timeout @@ -285979,7 +285981,7 @@ which the system will be deployed as closely as possible. - + @@ -285987,7 +285989,7 @@ which the system will be deployed as closely as possible. - + Set GNOME3 Screensaver Lock Delay After Activation Period @@ -285999,7 +286001,7 @@ which the system will be deployed as closely as possible. - + @@ -286007,7 +286009,7 @@ which the system will be deployed as closely as possible. - + Enable GNOME3 Screensaver Lock After Idle Period @@ -286018,7 +286020,7 @@ which the system will be deployed as closely as possible. - + @@ -286026,7 +286028,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period @@ -286037,14 +286039,14 @@ which the system will be deployed as closely as possible. - + - + Implement Blank Screensaver @@ -286055,7 +286057,7 @@ which the system will be deployed as closely as possible. - + @@ -286063,7 +286065,7 @@ which the system will be deployed as closely as possible. - + Disable Full User Name on Splash Shield @@ -286074,7 +286076,7 @@ which the system will be deployed as closely as possible. - + @@ -286082,7 +286084,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Cannot Change GNOME3 Screensaver Settings @@ -286093,14 +286095,14 @@ which the system will be deployed as closely as possible. - + - + Ensure Users Cannot Change GNOME3 Session Idle Settings @@ -286111,14 +286113,14 @@ which the system will be deployed as closely as possible. - + - + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 @@ -286129,7 +286131,7 @@ which the system will be deployed as closely as possible. - + @@ -286137,7 +286139,7 @@ which the system will be deployed as closely as possible. - + Disable Geolocation in GNOME3 @@ -286147,7 +286149,7 @@ which the system will be deployed as closely as possible. - + @@ -286157,7 +286159,7 @@ which the system will be deployed as closely as possible. - + Disable Power Settings in GNOME3 @@ -286167,7 +286169,7 @@ which the system will be deployed as closely as possible. - + @@ -286175,7 +286177,7 @@ which the system will be deployed as closely as possible. - + The Installed Operating System Is FIPS 140-2 Certified @@ -286199,7 +286201,7 @@ which the system will be deployed as closely as possible. - + The Installed Operating System Is Vendor Supported @@ -286221,7 +286223,7 @@ which the system will be deployed as closely as possible. - + Configure BIND to use System Crypto Policy @@ -286233,10 +286235,10 @@ which the system will be deployed as closely as possible. - + - + Configure System Cryptography Policy @@ -286253,7 +286255,7 @@ which the system will be deployed as closely as possible. - + Configure GnuTLS library to use DoD-approved TLS Encryption @@ -286263,11 +286265,11 @@ which the system will be deployed as closely as possible. - + - + Configure Kerberos to use System Crypto Policy @@ -286277,12 +286279,12 @@ which the system will be deployed as closely as possible. - + - + Configure Libreswan to use System Crypto Policy @@ -286293,11 +286295,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure OpenSSL library to use System Crypto Policy @@ -286307,11 +286309,11 @@ which the system will be deployed as closely as possible. - - + + - + Configure OpenSSL library to use TLS Encryption @@ -286322,14 +286324,14 @@ which the system will be deployed as closely as possible. - + - - + + - + Configure SSH to use System Crypto Policy @@ -286339,11 +286341,11 @@ which the system will be deployed as closely as possible. - - + + - + Harden OpenSSL Crypto Policy @@ -286357,7 +286359,7 @@ which the system will be deployed as closely as possible. - + Harden SSH client Crypto Policy @@ -286377,7 +286379,7 @@ which the system will be deployed as closely as possible. - + Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config @@ -286387,11 +286389,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config @@ -286401,11 +286403,11 @@ which the system will be deployed as closely as possible. - + - + Harden SSHD Crypto Policy @@ -286429,7 +286431,7 @@ which the system will be deployed as closely as possible. - + Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config @@ -286439,11 +286441,11 @@ which the system will be deployed as closely as possible. - + - + Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config @@ -286453,11 +286455,11 @@ which the system will be deployed as closely as possible. - + - + OpenSSL uses strong entropy source @@ -286467,11 +286469,11 @@ which the system will be deployed as closely as possible. - - + + - + Install Virus Scanning Software @@ -286481,11 +286483,11 @@ which the system will be deployed as closely as possible. - + - + Install Intrusion Detection Software @@ -286500,7 +286502,7 @@ which the system will be deployed as closely as possible. - + Install McAfee Virus Scanning Software @@ -286514,7 +286516,7 @@ which the system will be deployed as closely as possible. - + Install the McAfee Runtime Libraries and Linux Agent @@ -286528,7 +286530,7 @@ which the system will be deployed as closely as possible. - + Virus Scanning Software Definitions Are Updated @@ -286537,11 +286539,11 @@ which the system will be deployed as closely as possible.Verify that McAfee AntiVirus definitions have been updated. - + - + Ensure McAfee Endpoint Security for Linux (ENSL) is running @@ -286551,11 +286553,11 @@ which the system will be deployed as closely as possible. - + - + Install the Asset Configuration Compliance Module (ACCM) @@ -286564,11 +286566,11 @@ which the system will be deployed as closely as possible.Install the Asset Configuration Compliance Module (ACCM). - + - + Install the Policy Auditor (PA) Module @@ -286577,11 +286579,11 @@ which the system will be deployed as closely as possible.Install the Policy Auditor (PA) Module. - + - + Enable Dracut FIPS Module @@ -286595,7 +286597,7 @@ which the system will be deployed as closely as possible. - + Enable FIPS Mode @@ -286606,26 +286608,26 @@ which the system will be deployed as closely as possible. - - - - - + + + + + - - + + - - + + - + - + Ensure '/etc/system-fips' exists @@ -286635,10 +286637,10 @@ which the system will be deployed as closely as possible. - + - + Set kernel parameter 'crypto.fips_enabled' to 1 @@ -286652,7 +286654,7 @@ which the system will be deployed as closely as possible. - + Build and Test AIDE Database @@ -286667,7 +286669,7 @@ which the system will be deployed as closely as possible. - + Configure AIDE to Verify the Audit Tools @@ -286688,7 +286690,7 @@ which the system will be deployed as closely as possible. - + Configure Periodic Execution of AIDE @@ -286711,7 +286713,7 @@ which the system will be deployed as closely as possible. - + Configure Notification of Post-AIDE Scan Details @@ -286731,7 +286733,7 @@ which the system will be deployed as closely as possible. - + Configure AIDE to Use FIPS 140-2 for Validating Hashes @@ -286748,7 +286750,7 @@ which the system will be deployed as closely as possible. - + Configure AIDE to Verify Access Control Lists (ACLs) @@ -286763,7 +286765,7 @@ which the system will be deployed as closely as possible. - + Configure AIDE to Verify Extended Attributes @@ -286778,7 +286780,7 @@ which the system will be deployed as closely as possible. - + Verify File Hashes with RPM @@ -286788,11 +286790,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify and Correct Ownership with RPM @@ -286806,11 +286808,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify and Correct File Permissions with RPM @@ -286823,11 +286825,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure a dedicated group owns sudo @@ -286837,12 +286839,12 @@ which the system will be deployed as closely as possible. - + - + Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate @@ -286857,7 +286859,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD @@ -286872,7 +286874,7 @@ which the system will be deployed as closely as possible. - + Ensure Users Re-Authenticate for Privilege Escalation - sudo @@ -286887,7 +286889,7 @@ which the system will be deployed as closely as possible. - + Require Re-Authentication When Using the sudo Command @@ -286902,7 +286904,7 @@ which the system will be deployed as closely as possible. - + The operating system must restrict privilege elevation to authorized personnel @@ -286917,7 +286919,7 @@ which the system will be deployed as closely as possible. - + Only the VDSM User Can Use sudo NOPASSWD @@ -286932,7 +286934,7 @@ which the system will be deployed as closely as possible. - + Ensure sudo only includes the default configuration directory @@ -286955,7 +286957,7 @@ which the system will be deployed as closely as possible. - + Explicit arguments in sudo specifications @@ -286969,7 +286971,7 @@ which the system will be deployed as closely as possible. - + Don't define allowed commands in sudoers by means of exclusion @@ -286983,7 +286985,7 @@ which the system will be deployed as closely as possible. - + Don't target root user in the sudoers file @@ -286998,7 +287000,7 @@ which the system will be deployed as closely as possible. - + Ensure invoking users password for privilege escalation when using sudo @@ -287017,7 +287019,7 @@ which the system will be deployed as closely as possible. - + Ensure yum Removes Previous Package Versions @@ -287028,11 +287030,11 @@ which the system will be deployed as closely as possible. - + - + Configure dnf-automatic to Install Available Updates Automatically @@ -287049,7 +287051,7 @@ which the system will be deployed as closely as possible. - + Configure dnf-automatic to Install Only Security Updates @@ -287066,7 +287068,7 @@ which the system will be deployed as closely as possible. - + Ensure gpgcheck Enabled In Main yum Configuration @@ -287082,7 +287084,7 @@ which the system will be deployed as closely as possible. - + Ensure gpgcheck Enabled for Local Packages @@ -287094,11 +287096,11 @@ which the system will be deployed as closely as possible. - + - + Ensure gpgcheck Enabled for All yum Package Repositories @@ -287112,7 +287114,7 @@ which the system will be deployed as closely as possible. - + Ensure gpgcheck Enabled for Repository Metadata @@ -287123,11 +287125,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Red Hat GPG Key Installed @@ -287153,7 +287155,7 @@ which the system will be deployed as closely as possible. - + Ensure PAM Enforces Password Requirements - Minimum Digit Characters @@ -287163,14 +287165,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words @@ -287180,14 +287182,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Different Characters @@ -287197,14 +287199,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only @@ -287214,12 +287216,12 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Enforce for root User @@ -287229,12 +287231,12 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters @@ -287244,14 +287246,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class @@ -287261,14 +287263,14 @@ which the system will be deployed as closely as possible. - + - + Set Password Maximum Consecutive Repeating Characters @@ -287278,14 +287280,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Different Categories @@ -287295,14 +287297,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Length @@ -287312,14 +287314,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Special Characters @@ -287329,14 +287331,14 @@ which the system will be deployed as closely as possible. - + - + Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters @@ -287346,14 +287348,14 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful file accesses @@ -287363,11 +287365,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful file accesses @@ -287377,11 +287379,11 @@ which the system will be deployed as closely as possible. - + - + Configure basic parameters of Audit system @@ -287391,11 +287393,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful file creations @@ -287405,11 +287407,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful file creations @@ -287419,11 +287421,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful file deletions @@ -287433,11 +287435,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful file deletions @@ -287447,11 +287449,11 @@ which the system will be deployed as closely as possible. - + - + Configure immutable Audit login UIDs @@ -287461,11 +287463,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful file modifications @@ -287475,11 +287477,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful file modifications @@ -287489,11 +287491,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of loading and unloading of kernel modules @@ -287503,11 +287505,11 @@ which the system will be deployed as closely as possible. - + - + Perform general configuration of Audit for OSPP @@ -287517,11 +287519,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful ownership changes @@ -287531,11 +287533,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful ownership changes @@ -287545,11 +287547,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of unsuccessful permission changes @@ -287559,11 +287561,11 @@ which the system will be deployed as closely as possible. - + - + Configure auditing of successful permission changes @@ -287573,11 +287575,11 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on the Use of Privileged Commands - init @@ -287597,7 +287599,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - poweroff @@ -287617,7 +287619,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - reboot @@ -287637,7 +287639,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - shutdown @@ -287657,7 +287659,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify the System's Discretionary Access Controls - chmod @@ -287672,7 +287674,7 @@ which the system will be deployed as closely as possible. - + @@ -287680,13 +287682,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - chown @@ -287701,7 +287703,7 @@ which the system will be deployed as closely as possible. - + @@ -287709,13 +287711,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fchmod @@ -287730,7 +287732,7 @@ which the system will be deployed as closely as possible. - + @@ -287738,13 +287740,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fchmodat @@ -287759,7 +287761,7 @@ which the system will be deployed as closely as possible. - + @@ -287767,13 +287769,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fchown @@ -287788,7 +287790,7 @@ which the system will be deployed as closely as possible. - + @@ -287796,13 +287798,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fchownat @@ -287817,7 +287819,7 @@ which the system will be deployed as closely as possible. - + @@ -287825,13 +287827,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fremovexattr @@ -287847,7 +287849,7 @@ which the system will be deployed as closely as possible. - + @@ -287857,14 +287859,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - fsetxattr @@ -287880,7 +287882,7 @@ which the system will be deployed as closely as possible. - + @@ -287890,14 +287892,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - lchown @@ -287912,7 +287914,7 @@ which the system will be deployed as closely as possible. - + @@ -287920,13 +287922,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - lremovexattr @@ -287942,7 +287944,7 @@ which the system will be deployed as closely as possible. - + @@ -287952,14 +287954,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - lsetxattr @@ -287975,7 +287977,7 @@ which the system will be deployed as closely as possible. - + @@ -287985,14 +287987,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - removexattr @@ -288008,7 +288010,7 @@ which the system will be deployed as closely as possible. - + @@ -288018,14 +288020,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - setxattr @@ -288041,7 +288043,7 @@ which the system will be deployed as closely as possible. - + @@ -288051,14 +288053,14 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Discretionary Access Controls - umount2 @@ -288073,7 +288075,7 @@ which the system will be deployed as closely as possible. - + @@ -288081,13 +288083,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open syscall - /etc/group @@ -288102,7 +288104,7 @@ which the system will be deployed as closely as possible. - + @@ -288110,13 +288112,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group @@ -288131,7 +288133,7 @@ which the system will be deployed as closely as possible. - + @@ -288139,13 +288141,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via openat syscall - /etc/group @@ -288160,7 +288162,7 @@ which the system will be deployed as closely as possible. - + @@ -288168,13 +288170,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open syscall - /etc/gshadow @@ -288189,7 +288191,7 @@ which the system will be deployed as closely as possible. - + @@ -288197,13 +288199,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow @@ -288218,7 +288220,7 @@ which the system will be deployed as closely as possible. - + @@ -288226,13 +288228,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow @@ -288247,7 +288249,7 @@ which the system will be deployed as closely as possible. - + @@ -288255,13 +288257,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open syscall - /etc/passwd @@ -288276,7 +288278,7 @@ which the system will be deployed as closely as possible. - + @@ -288284,13 +288286,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd @@ -288305,7 +288307,7 @@ which the system will be deployed as closely as possible. - + @@ -288313,13 +288315,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via openat syscall - /etc/passwd @@ -288334,7 +288336,7 @@ which the system will be deployed as closely as possible. - + @@ -288342,13 +288344,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open syscall - /etc/shadow @@ -288363,7 +288365,7 @@ which the system will be deployed as closely as possible. - + @@ -288371,13 +288373,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow @@ -288392,7 +288394,7 @@ which the system will be deployed as closely as possible. - + @@ -288400,13 +288402,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify User/Group Information via openat syscall - /etc/shadow @@ -288421,7 +288423,7 @@ which the system will be deployed as closely as possible. - + @@ -288429,13 +288431,13 @@ which the system will be deployed as closely as possible. - + - + Record Any Attempts to Run chacl @@ -288456,7 +288458,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run chcon @@ -288477,7 +288479,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run restorecon @@ -288498,7 +288500,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run semanage @@ -288519,7 +288521,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run setfacl @@ -288540,7 +288542,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run setfiles @@ -288561,7 +288563,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run setsebool @@ -288582,7 +288584,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run seunshare @@ -288603,7 +288605,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects File Deletion Events by User - rename @@ -288618,7 +288620,7 @@ which the system will be deployed as closely as possible. - + @@ -288626,13 +288628,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects File Deletion Events by User - renameat @@ -288647,7 +288649,7 @@ which the system will be deployed as closely as possible. - + @@ -288655,13 +288657,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects File Deletion Events by User - rmdir @@ -288676,7 +288678,7 @@ which the system will be deployed as closely as possible. - + @@ -288684,13 +288686,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects File Deletion Events by User - unlink @@ -288705,7 +288707,7 @@ which the system will be deployed as closely as possible. - + @@ -288713,13 +288715,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects File Deletion Events by User - unlinkat @@ -288734,7 +288736,7 @@ which the system will be deployed as closely as possible. - + @@ -288742,13 +288744,13 @@ which the system will be deployed as closely as possible. - + - + Record Attempts to Alter Logon and Logout Events - faillock @@ -288769,7 +288771,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to Alter Logon and Logout Events - lastlog @@ -288790,7 +288792,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to Alter Logon and Logout Events - tallylog @@ -288811,7 +288813,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on Exporting to Media (successful) @@ -288826,7 +288828,7 @@ which the system will be deployed as closely as possible. - + @@ -288834,13 +288836,13 @@ which the system will be deployed as closely as possible. - + - + Ensure auditd Collects Information on the Use of Privileged Commands - at @@ -288861,7 +288863,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - chage @@ -288882,7 +288884,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - chsh @@ -288903,7 +288905,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - crontab @@ -288924,7 +288926,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd @@ -288945,7 +288947,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - mount @@ -288966,7 +288968,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap @@ -288987,7 +288989,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp @@ -289008,7 +289010,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap @@ -289029,7 +289031,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check @@ -289050,7 +289052,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - passwd @@ -289071,7 +289073,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - postdrop @@ -289092,7 +289094,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - postqueue @@ -289113,7 +289115,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown @@ -289134,7 +289136,7 @@ which the system will be deployed as closely as possible. - + Record Any Attempts to Run ssh-agent @@ -289155,7 +289157,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign @@ -289176,7 +289178,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - su @@ -289197,7 +289199,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - sudo @@ -289218,7 +289220,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit @@ -289239,7 +289241,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - umount @@ -289260,7 +289262,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd @@ -289281,7 +289283,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - unix_update @@ -289302,7 +289304,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper @@ -289323,7 +289325,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - usermod @@ -289344,7 +289346,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl @@ -289365,7 +289367,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - chmod @@ -289381,7 +289383,7 @@ which the system will be deployed as closely as possible. - + @@ -289393,7 +289395,7 @@ which the system will be deployed as closely as possible. - + @@ -289402,7 +289404,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Ownership Changes to Files - chown @@ -289418,7 +289420,7 @@ which the system will be deployed as closely as possible. - + @@ -289430,7 +289432,7 @@ which the system will be deployed as closely as possible. - + @@ -289439,7 +289441,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - creat @@ -289455,7 +289457,7 @@ which the system will be deployed as closely as possible. - + @@ -289467,7 +289469,7 @@ which the system will be deployed as closely as possible. - + @@ -289476,7 +289478,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - fchmod @@ -289492,7 +289494,7 @@ which the system will be deployed as closely as possible. - + @@ -289504,7 +289506,7 @@ which the system will be deployed as closely as possible. - + @@ -289513,7 +289515,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - fchmodat @@ -289529,7 +289531,7 @@ which the system will be deployed as closely as possible. - + @@ -289541,7 +289543,7 @@ which the system will be deployed as closely as possible. - + @@ -289550,7 +289552,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Ownership Changes to Files - fchown @@ -289566,7 +289568,7 @@ which the system will be deployed as closely as possible. - + @@ -289578,7 +289580,7 @@ which the system will be deployed as closely as possible. - + @@ -289587,7 +289589,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Ownership Changes to Files - fchownat @@ -289603,7 +289605,7 @@ which the system will be deployed as closely as possible. - + @@ -289615,7 +289617,7 @@ which the system will be deployed as closely as possible. - + @@ -289624,7 +289626,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - fremovexattr @@ -289640,7 +289642,7 @@ which the system will be deployed as closely as possible. - + @@ -289652,7 +289654,7 @@ which the system will be deployed as closely as possible. - + @@ -289661,7 +289663,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - fsetxattr @@ -289677,7 +289679,7 @@ which the system will be deployed as closely as possible. - + @@ -289689,7 +289691,7 @@ which the system will be deployed as closely as possible. - + @@ -289698,7 +289700,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - ftruncate @@ -289714,7 +289716,7 @@ which the system will be deployed as closely as possible. - + @@ -289726,7 +289728,7 @@ which the system will be deployed as closely as possible. - + @@ -289735,7 +289737,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Ownership Changes to Files - lchown @@ -289751,7 +289753,7 @@ which the system will be deployed as closely as possible. - + @@ -289763,7 +289765,7 @@ which the system will be deployed as closely as possible. - + @@ -289772,7 +289774,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - lremovexattr @@ -289788,7 +289790,7 @@ which the system will be deployed as closely as possible. - + @@ -289800,7 +289802,7 @@ which the system will be deployed as closely as possible. - + @@ -289809,7 +289811,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - lsetxattr @@ -289825,7 +289827,7 @@ which the system will be deployed as closely as possible. - + @@ -289837,7 +289839,7 @@ which the system will be deployed as closely as possible. - + @@ -289846,7 +289848,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - open @@ -289862,7 +289864,7 @@ which the system will be deployed as closely as possible. - + @@ -289874,7 +289876,7 @@ which the system will be deployed as closely as possible. - + @@ -289883,7 +289885,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - open_by_handle_at @@ -289899,7 +289901,7 @@ which the system will be deployed as closely as possible. - + @@ -289911,7 +289913,7 @@ which the system will be deployed as closely as possible. - + @@ -289920,7 +289922,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT @@ -289936,7 +289938,7 @@ which the system will be deployed as closely as possible. - + @@ -289948,7 +289950,7 @@ which the system will be deployed as closely as possible. - + @@ -289957,7 +289959,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE @@ -289973,7 +289975,7 @@ which the system will be deployed as closely as possible. - + @@ -289985,7 +289987,7 @@ which the system will be deployed as closely as possible. - + @@ -289994,7 +289996,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly @@ -290010,7 +290012,7 @@ which the system will be deployed as closely as possible. - + @@ -290022,7 +290024,7 @@ which the system will be deployed as closely as possible. - + @@ -290031,7 +290033,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Creation Attempts to Files - open O_CREAT @@ -290047,7 +290049,7 @@ which the system will be deployed as closely as possible. - + @@ -290059,7 +290061,7 @@ which the system will be deployed as closely as possible. - + @@ -290068,7 +290070,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE @@ -290084,7 +290086,7 @@ which the system will be deployed as closely as possible. - + @@ -290096,7 +290098,7 @@ which the system will be deployed as closely as possible. - + @@ -290105,7 +290107,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly @@ -290121,7 +290123,7 @@ which the system will be deployed as closely as possible. - + @@ -290133,7 +290135,7 @@ which the system will be deployed as closely as possible. - + @@ -290142,7 +290144,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - openat @@ -290158,7 +290160,7 @@ which the system will be deployed as closely as possible. - + @@ -290170,7 +290172,7 @@ which the system will be deployed as closely as possible. - + @@ -290179,7 +290181,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Creation Attempts to Files - openat O_CREAT @@ -290195,7 +290197,7 @@ which the system will be deployed as closely as possible. - + @@ -290207,7 +290209,7 @@ which the system will be deployed as closely as possible. - + @@ -290216,7 +290218,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE @@ -290232,7 +290234,7 @@ which the system will be deployed as closely as possible. - + @@ -290244,7 +290246,7 @@ which the system will be deployed as closely as possible. - + @@ -290253,7 +290255,7 @@ which the system will be deployed as closely as possible. - + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly @@ -290269,7 +290271,7 @@ which the system will be deployed as closely as possible. - + @@ -290281,7 +290283,7 @@ which the system will be deployed as closely as possible. - + @@ -290290,7 +290292,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - removexattr @@ -290306,7 +290308,7 @@ which the system will be deployed as closely as possible. - + @@ -290318,7 +290320,7 @@ which the system will be deployed as closely as possible. - + @@ -290327,7 +290329,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Delete Attempts to Files - rename @@ -290343,7 +290345,7 @@ which the system will be deployed as closely as possible. - + @@ -290355,7 +290357,7 @@ which the system will be deployed as closely as possible. - + @@ -290364,7 +290366,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Delete Attempts to Files - renameat @@ -290380,7 +290382,7 @@ which the system will be deployed as closely as possible. - + @@ -290392,7 +290394,7 @@ which the system will be deployed as closely as possible. - + @@ -290401,7 +290403,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Permission Changes to Files - setxattr @@ -290417,7 +290419,7 @@ which the system will be deployed as closely as possible. - + @@ -290429,7 +290431,7 @@ which the system will be deployed as closely as possible. - + @@ -290438,7 +290440,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Access Attempts to Files - truncate @@ -290454,7 +290456,7 @@ which the system will be deployed as closely as possible. - + @@ -290466,7 +290468,7 @@ which the system will be deployed as closely as possible. - + @@ -290475,7 +290477,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Delete Attempts to Files - unlink @@ -290491,7 +290493,7 @@ which the system will be deployed as closely as possible. - + @@ -290503,7 +290505,7 @@ which the system will be deployed as closely as possible. - + @@ -290512,7 +290514,7 @@ which the system will be deployed as closely as possible. - + Record Unsuccessful Delete Attempts to Files - unlinkat @@ -290528,7 +290530,7 @@ which the system will be deployed as closely as possible. - + @@ -290540,7 +290542,7 @@ which the system will be deployed as closely as possible. - + @@ -290549,7 +290551,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/group @@ -290570,7 +290572,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/gshadow @@ -290591,7 +290593,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/security/opasswd @@ -290612,7 +290614,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/passwd @@ -290633,7 +290635,7 @@ which the system will be deployed as closely as possible. - + Record Events that Modify User/Group Information - /etc/shadow @@ -290654,7 +290656,7 @@ which the system will be deployed as closely as possible. - + Record Attempts to perform maintenance activities @@ -290675,7 +290677,7 @@ which the system will be deployed as closely as possible. - + Set number of records to cause an explicit flush to audit logs @@ -290689,7 +290691,7 @@ which the system will be deployed as closely as possible. - + Include Local Events in Audit Logs @@ -290703,7 +290705,7 @@ which the system will be deployed as closely as possible. - + Resolve information before writing to audit logs @@ -290717,7 +290719,7 @@ which the system will be deployed as closely as possible. - + Write Audit Logs to the Disk @@ -290732,7 +290734,7 @@ which the system will be deployed as closely as possible. - + Ensure SELinux Not Disabled in the kernel arguments @@ -290745,18 +290747,18 @@ which the system will be deployed as closely as possible. - + - + - + - + Disable User Administration in GNOME3 @@ -290771,7 +290773,7 @@ which the system will be deployed as closely as possible. - + Enable the GNOME3 Screen Locking On Smartcard Removal @@ -290786,7 +290788,7 @@ which the system will be deployed as closely as possible. - + Verify that Shared Library Directories Have Root Group Ownership @@ -290796,14 +290798,14 @@ which the system will be deployed as closely as possible. - + - + Verify that System Executable Have Root Ownership @@ -290812,7 +290814,7 @@ which the system will be deployed as closely as possible.This test makes sure that /bin/, /sbin/, /usr/bin/, /usr/sbin/, /usr/local/bin/, /usr/local/sbin/ is owned by 0. - + @@ -290821,7 +290823,7 @@ which the system will be deployed as closely as possible. - + Verify that Shared Library Directories Have Root Ownership @@ -290831,14 +290833,14 @@ which the system will be deployed as closely as possible. - + - + Verify that System Executable Directories Have Restrictive Permissions @@ -290849,7 +290851,7 @@ which the system will be deployed as closely as possible. - + @@ -290858,7 +290860,7 @@ which the system will be deployed as closely as possible. - + Verify that Shared Library Directories Have Restrictive Permissions @@ -290870,14 +290872,14 @@ which the system will be deployed as closely as possible. - + - + Disable Host-Based Authentication @@ -290904,7 +290906,7 @@ which the system will be deployed as closely as possible. - + Ensure that /etc/at.deny does not exist @@ -290914,11 +290916,11 @@ which the system will be deployed as closely as possible. - + - + Audit Tools Must Be Group-owned by Root @@ -290928,7 +290930,7 @@ which the system will be deployed as closely as possible. - + @@ -290938,7 +290940,7 @@ which the system will be deployed as closely as possible. - + Audit Tools Must Be Owned by Root @@ -290948,7 +290950,7 @@ which the system will be deployed as closely as possible. - + @@ -290958,7 +290960,7 @@ which the system will be deployed as closely as possible. - + Audit Tools Must Have a Mode of 0755 or Less Permissive @@ -290970,7 +290972,7 @@ which the system will be deployed as closely as possible. - + @@ -290980,7 +290982,7 @@ which the system will be deployed as closely as possible. - + Ensure that /etc/cron.deny does not exist @@ -290990,11 +290992,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /etc/at.allow file @@ -291004,11 +291006,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Backup group File @@ -291018,11 +291020,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Backup gshadow File @@ -291032,11 +291034,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Backup passwd File @@ -291046,11 +291048,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns Backup shadow File @@ -291060,11 +291062,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /etc/cron.allow file @@ -291074,11 +291076,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.d @@ -291088,11 +291090,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.daily @@ -291102,11 +291104,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.hourly @@ -291116,11 +291118,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.monthly @@ -291130,11 +291132,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns cron.weekly @@ -291144,11 +291146,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Crontab @@ -291158,11 +291160,11 @@ which the system will be deployed as closely as possible. - + - + Verify the UEFI Boot Loader grub.cfg Group Ownership @@ -291172,11 +291174,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/efi/EFI/redhat/user.cfg Group Ownership @@ -291186,11 +291188,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns group File @@ -291200,11 +291202,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns gshadow File @@ -291214,11 +291216,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Ownership of System Login Banner @@ -291228,11 +291230,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Ownership of System Login Banner for Remote Connections @@ -291242,11 +291244,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Ownership of Message of the Day Banner @@ -291256,11 +291258,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns passwd File @@ -291270,11 +291272,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns shadow File @@ -291284,11 +291286,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/grub.cfg Group Ownership @@ -291298,11 +291300,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns SSH Server config file @@ -291312,11 +291314,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/user.cfg Group Ownership @@ -291326,11 +291328,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /var/log Directory @@ -291340,11 +291342,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /var/log/messages File @@ -291354,11 +291356,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns /var/log/syslog File @@ -291367,11 +291369,11 @@ which the system will be deployed as closely as possible.This test makes sure that /var/log/syslog is group owned by 4. - + - + Verify that audit tools are owned by group root @@ -291381,7 +291383,7 @@ which the system will be deployed as closely as possible. - + @@ -291391,7 +291393,7 @@ which the system will be deployed as closely as possible. - + Audit Configuration Files Must Be Owned By Group root @@ -291400,12 +291402,12 @@ which the system will be deployed as closely as possible.This test makes sure that /etc/audit/, /etc/audit/rules.d/ is group owned by 0. - + - + Verify Group Ownership on SSH Server Private *_key Key Files @@ -291415,11 +291417,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Ownership on SSH Server Public *.pub Key Files @@ -291429,11 +291431,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns Backup group File @@ -291443,11 +291445,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns Backup gshadow File @@ -291457,11 +291459,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns Backup passwd File @@ -291471,11 +291473,11 @@ which the system will be deployed as closely as possible. - + - + Verify Group Who Owns Backup shadow File @@ -291485,11 +291487,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns /etc/cron.allow file @@ -291499,11 +291501,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.d @@ -291513,11 +291515,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.daily @@ -291527,11 +291529,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.hourly @@ -291541,11 +291543,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.monthly @@ -291555,11 +291557,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on cron.weekly @@ -291569,11 +291571,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on crontab @@ -291583,11 +291585,11 @@ which the system will be deployed as closely as possible. - + - + Verify the UEFI Boot Loader grub.cfg User Ownership @@ -291597,11 +291599,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/efi/EFI/redhat/user.cfg User Ownership @@ -291611,11 +291613,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns group File @@ -291625,11 +291627,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns gshadow File @@ -291639,11 +291641,11 @@ which the system will be deployed as closely as possible. - + - + Verify ownership of System Login Banner @@ -291653,11 +291655,11 @@ which the system will be deployed as closely as possible. - + - + Verify ownership of System Login Banner for Remote Connections @@ -291667,11 +291669,11 @@ which the system will be deployed as closely as possible. - + - + Verify ownership of Message of the Day Banner @@ -291681,11 +291683,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns passwd File @@ -291695,11 +291697,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns shadow File @@ -291709,11 +291711,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/grub.cfg User Ownership @@ -291723,11 +291725,11 @@ which the system will be deployed as closely as possible. - + - + Verify Owner on SSH Server config file @@ -291737,11 +291739,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/user.cfg User Ownership @@ -291751,11 +291753,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns /var/log Directory @@ -291765,11 +291767,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns /var/log/messages File @@ -291779,11 +291781,11 @@ which the system will be deployed as closely as possible. - + - + Verify User Who Owns /var/log/syslog File @@ -291792,11 +291794,11 @@ which the system will be deployed as closely as possible.This test makes sure that /var/log/syslog is owned by 104. - + - + Verify that audit tools are owned by root @@ -291806,7 +291808,7 @@ which the system will be deployed as closely as possible. - + @@ -291816,7 +291818,7 @@ which the system will be deployed as closely as possible. - + Audit Configuration Files Must Be Owned By Root @@ -291825,12 +291827,12 @@ which the system will be deployed as closely as possible.This test makes sure that /etc/audit/, /etc/audit/rules.d/ is owned by 0. - + - + Verify that Shared Library Files Have Root Ownership @@ -291840,14 +291842,14 @@ which the system will be deployed as closely as possible. - + - + Verify Ownership on SSH Server Private *_key Key Files @@ -291857,11 +291859,11 @@ which the system will be deployed as closely as possible. - + - + Verify Ownership on SSH Server Public *.pub Key Files @@ -291871,11 +291873,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /etc/at.allow file @@ -291887,11 +291889,11 @@ which the system will be deployed as closely as possible. - + - + Verify that audit tools Have Mode 0755 or less @@ -291903,7 +291905,7 @@ which the system will be deployed as closely as possible. - + @@ -291913,7 +291915,7 @@ which the system will be deployed as closely as possible. - + Audit Configuration Files Permissions are 640 or More Restrictive @@ -291924,12 +291926,12 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on Backup group File @@ -291941,11 +291943,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on Backup gshadow File @@ -291957,11 +291959,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on Backup passwd File @@ -291973,11 +291975,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on Backup shadow File @@ -291989,11 +291991,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /etc/cron.allow file @@ -292005,11 +292007,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.d @@ -292021,11 +292023,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.daily @@ -292037,11 +292039,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.hourly @@ -292053,11 +292055,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.monthly @@ -292069,11 +292071,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on cron.weekly @@ -292085,11 +292087,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on crontab @@ -292101,11 +292103,11 @@ which the system will be deployed as closely as possible. - + - + Verify the UEFI Boot Loader grub.cfg Permissions @@ -292117,11 +292119,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/efi/EFI/redhat/user.cfg Permissions @@ -292133,11 +292135,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /etc/audit/auditd.conf @@ -292149,11 +292151,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /etc/audit/rules.d/*.rules @@ -292165,11 +292167,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on group File @@ -292181,11 +292183,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on gshadow File @@ -292197,11 +292199,11 @@ which the system will be deployed as closely as possible. - + - + Verify permissions on System Login Banner @@ -292213,11 +292215,11 @@ which the system will be deployed as closely as possible. - + - + Verify permissions on System Login Banner for Remote Connections @@ -292229,11 +292231,11 @@ which the system will be deployed as closely as possible. - + - + Verify permissions on Message of the Day Banner @@ -292245,11 +292247,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on passwd File @@ -292261,11 +292263,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on shadow File @@ -292277,11 +292279,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/grub.cfg Permissions @@ -292293,11 +292295,11 @@ which the system will be deployed as closely as possible. - + - + Verify that Shared Library Files Have Restrictive Permissions @@ -292309,14 +292311,14 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on SSH Server config file @@ -292328,11 +292330,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on SSH Server Public *.pub Key Files @@ -292344,11 +292346,11 @@ which the system will be deployed as closely as possible. - + - + Verify /boot/grub2/user.cfg Permissions @@ -292360,11 +292362,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /var/log Directory @@ -292376,11 +292378,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /var/log/messages File @@ -292392,11 +292394,11 @@ which the system will be deployed as closely as possible. - + - + Verify Permissions on /var/log/syslog File @@ -292407,11 +292409,11 @@ which the system will be deployed as closely as possible. - + - + Configure Firewalld to Use the Nftables Backend @@ -292425,7 +292427,7 @@ which the system will be deployed as closely as possible. - + Enable Auditing for Processes Which Start Prior to the Audit Daemon @@ -292437,20 +292439,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Extend Audit Backlog Limit for the Audit Daemon @@ -292462,20 +292464,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + IOMMU configuration directive @@ -292487,20 +292489,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Ensure IPv6 is disabled through kernel boot parameter @@ -292512,20 +292514,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Configure L1 Terminal Fault mitigations @@ -292537,20 +292539,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Force kernel panic on uncorrected MCEs @@ -292562,20 +292564,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Ensure SMAP is not disabled during boot @@ -292587,20 +292589,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Ensure SMEP is not disabled during boot @@ -292612,20 +292614,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Enable page allocator poisoning @@ -292637,20 +292639,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Enable Kernel Page-Table Isolation (KPTI) @@ -292662,20 +292664,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Configure the confidence in TPM for entropy @@ -292687,20 +292689,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Disable merging of slabs with similar size @@ -292712,20 +292714,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Enable SLUB/SLAB allocator poisoning @@ -292737,20 +292739,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Configure Speculative Store Bypass Mitigation @@ -292762,20 +292764,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Enforce Spectre v2 mitigation @@ -292787,20 +292789,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Ensure debug-shell service is not enabled during boot @@ -292811,20 +292813,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Disable vsyscalls @@ -292836,20 +292838,20 @@ which the system will be deployed as closely as possible. - - + + - + - - + + - + Install Smart Card Packages For Multifactor Authentication @@ -292859,11 +292861,11 @@ which the system will be deployed as closely as possible. - + - + Ensure journald is configured to compress large log files @@ -292877,7 +292879,7 @@ which the system will be deployed as closely as possible. - + Ensure journald is configured to send logs to rsyslog @@ -292891,7 +292893,7 @@ which the system will be deployed as closely as possible. - + Ensure journald is configured to write log files to persistent disk @@ -292905,7 +292907,7 @@ which the system will be deployed as closely as possible. - + Do not allow ACPI methods to be inserted/replaced at run time @@ -292923,7 +292925,7 @@ which the system will be deployed as closely as possible. - + Emulate Privileged Access Never (PAN) @@ -292940,7 +292942,7 @@ which the system will be deployed as closely as possible. - + Disable kernel support for MISC binaries @@ -292958,7 +292960,7 @@ which the system will be deployed as closely as possible. - + Enable support for BUG() @@ -292975,7 +292977,7 @@ which the system will be deployed as closely as possible. - + Trigger a kernel BUG when data corruption is detected @@ -292992,7 +292994,7 @@ which the system will be deployed as closely as possible. - + Disable compatibility with brk() @@ -293010,7 +293012,7 @@ which the system will be deployed as closely as possible. - + Disable the 32-bit vDSO @@ -293028,7 +293030,7 @@ which the system will be deployed as closely as possible. - + Enable checks on credential management @@ -293045,7 +293047,7 @@ which the system will be deployed as closely as possible. - + Disable kernel debugfs @@ -293063,7 +293065,7 @@ which the system will be deployed as closely as possible. - + Enable checks on linked list manipulation @@ -293080,7 +293082,7 @@ which the system will be deployed as closely as possible. - + Enable checks on notifier call chains @@ -293097,7 +293099,7 @@ which the system will be deployed as closely as possible. - + Enable checks on scatter-gather (SG) table operations @@ -293114,7 +293116,7 @@ which the system will be deployed as closely as possible. - + Warn on W+X mappings found at boot @@ -293131,7 +293133,7 @@ which the system will be deployed as closely as possible. - + Configure low address space to protect from user allocation @@ -293148,7 +293150,7 @@ which the system will be deployed as closely as possible. - + Disable /dev/kmem virtual device support @@ -293166,7 +293168,7 @@ which the system will be deployed as closely as possible. - + Harden common str/mem functions against buffer overflows @@ -293183,7 +293185,7 @@ which the system will be deployed as closely as possible. - + Generate some entropy during boot and runtime @@ -293200,7 +293202,7 @@ which the system will be deployed as closely as possible. - + Force initialization of variables containing userspace addresses @@ -293217,7 +293219,7 @@ which the system will be deployed as closely as possible. - + Harden memory copies between kernel and userspace @@ -293234,7 +293236,7 @@ which the system will be deployed as closely as possible. - + Do not allow usercopy whitelist violations to fallback to object size @@ -293252,7 +293254,7 @@ which the system will be deployed as closely as possible. - + Disable hibernation @@ -293270,7 +293272,7 @@ which the system will be deployed as closely as possible. - + Disable IA32 emulation @@ -293288,7 +293290,7 @@ which the system will be deployed as closely as possible. - + Disable the IPv6 protocol @@ -293306,7 +293308,7 @@ which the system will be deployed as closely as possible. - + Disable kexec system call @@ -293324,7 +293326,7 @@ which the system will be deployed as closely as possible. - + Disable legacy (BSD) PTY support @@ -293342,7 +293344,7 @@ which the system will be deployed as closely as possible. - + Disable vsyscall emulation @@ -293360,7 +293362,7 @@ which the system will be deployed as closely as possible. - + Disable vsyscall mapping @@ -293377,7 +293379,7 @@ which the system will be deployed as closely as possible. - + Disable the LDT (local descriptor table) @@ -293395,7 +293397,7 @@ which the system will be deployed as closely as possible. - + Enable module signature verification @@ -293412,7 +293414,7 @@ which the system will be deployed as closely as possible. - + Enable automatic signing of all modules @@ -293429,7 +293431,7 @@ which the system will be deployed as closely as possible. - + Require modules to be validly signed @@ -293446,7 +293448,7 @@ which the system will be deployed as closely as possible. - + Specify the hash to use when signing modules @@ -293463,7 +293465,7 @@ which the system will be deployed as closely as possible. - + Specify module signing key to use @@ -293480,7 +293482,7 @@ which the system will be deployed as closely as possible. - + Sign kernel modules with SHA-512 @@ -293497,7 +293499,7 @@ which the system will be deployed as closely as possible. - + Enable poison of pages after freeing @@ -293514,7 +293516,7 @@ which the system will be deployed as closely as possible. - + Enable poison without sanity check @@ -293531,7 +293533,7 @@ which the system will be deployed as closely as possible. - + Use zero for poisoning instead of debugging value @@ -293548,7 +293550,7 @@ which the system will be deployed as closely as possible. - + Remove the kernel mapping in user mode @@ -293565,7 +293567,7 @@ which the system will be deployed as closely as possible. - + Kernel panic oops @@ -293582,7 +293584,7 @@ which the system will be deployed as closely as possible. - + Kernel panic timeout @@ -293599,7 +293601,7 @@ which the system will be deployed as closely as possible. - + Disable support for /proc/kkcore @@ -293617,7 +293619,7 @@ which the system will be deployed as closely as possible. - + Randomize the address of the kernel image (KASLR) @@ -293634,7 +293636,7 @@ which the system will be deployed as closely as possible. - + Randomize the kernel memory sections @@ -293651,7 +293653,7 @@ which the system will be deployed as closely as possible. - + Perform full reference count validation @@ -293668,7 +293670,7 @@ which the system will be deployed as closely as possible. - + Avoid speculative indirect branches in kernel @@ -293685,7 +293687,7 @@ which the system will be deployed as closely as possible. - + Detect stack corruption on calls to schedule() @@ -293702,7 +293704,7 @@ which the system will be deployed as closely as possible. - + Enable seccomp to safely compute untrusted bytecode @@ -293719,7 +293721,7 @@ which the system will be deployed as closely as possible. - + Enable use of Berkeley Packet Filter with seccomp @@ -293736,7 +293738,7 @@ which the system will be deployed as closely as possible. - + Enable different security models @@ -293753,7 +293755,7 @@ which the system will be deployed as closely as possible. - + Restrict unprivileged access to the kernel syslog @@ -293771,7 +293773,7 @@ which the system will be deployed as closely as possible. - + Disable mutable hooks @@ -293788,7 +293790,7 @@ which the system will be deployed as closely as possible. - + Enable Yama support @@ -293805,7 +293807,7 @@ which the system will be deployed as closely as possible. - + Harden slab freelist metadata @@ -293822,7 +293824,7 @@ which the system will be deployed as closely as possible. - + Randomize slab freelist @@ -293839,7 +293841,7 @@ which the system will be deployed as closely as possible. - + Disallow merge of slab caches @@ -293857,7 +293859,7 @@ which the system will be deployed as closely as possible. - + Enable SLUB debugging support @@ -293874,7 +293876,7 @@ which the system will be deployed as closely as possible. - + Stack Protector buffer overlow detection @@ -293891,7 +293893,7 @@ which the system will be deployed as closely as possible. - + Strong Stack Protector @@ -293908,7 +293910,7 @@ which the system will be deployed as closely as possible. - + Make the kernel text and rodata read-only @@ -293925,7 +293927,7 @@ which the system will be deployed as closely as possible. - + Make the module text and rodata read-only @@ -293942,7 +293944,7 @@ which the system will be deployed as closely as possible. - + Enable TCP/IP syncookie support @@ -293959,7 +293961,7 @@ which the system will be deployed as closely as possible. - + Unmap kernel when running in userspace (aka KAISER) @@ -293976,7 +293978,7 @@ which the system will be deployed as closely as possible. - + User a virtually-mapped stack @@ -293993,7 +293995,7 @@ which the system will be deployed as closely as possible. - + Disable x86 vsyscall emulation @@ -294011,7 +294013,7 @@ which the system will be deployed as closely as possible. - + Disable ATM Support @@ -294023,12 +294025,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Bluetooth Kernel Module @@ -294040,12 +294042,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable CAN Support @@ -294057,12 +294059,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Kernel cfg80211 Module @@ -294073,12 +294075,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of cramfs @@ -294090,12 +294092,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable DCCP Support @@ -294107,12 +294109,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable IEEE 1394 (FireWire) Support @@ -294124,12 +294126,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of freevxfs @@ -294140,12 +294142,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of hfs @@ -294156,12 +294158,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of hfsplus @@ -294172,12 +294174,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Kernel iwlmvm Module @@ -294188,12 +294190,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Kernel iwlwifi Module @@ -294204,12 +294206,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of jffs2 @@ -294220,12 +294222,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Kernel mac80211 Module @@ -294236,12 +294238,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable RDS Support @@ -294253,12 +294255,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable SCTP Support @@ -294270,12 +294272,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of squashfs @@ -294287,12 +294289,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable TIPC Support @@ -294304,12 +294306,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of udf @@ -294321,12 +294323,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Modprobe Loading of USB Storage Driver @@ -294338,12 +294340,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable the uvcvideo module @@ -294355,12 +294357,12 @@ which the system will be deployed as closely as possible. - - + + - + Disable Mounting of vFAT filesystems @@ -294372,12 +294374,12 @@ which the system will be deployed as closely as possible. - - + + - + Add nosuid Option to /boot/efi @@ -294390,15 +294392,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noauto Option to /boot @@ -294411,15 +294413,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /boot @@ -294432,15 +294434,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /boot @@ -294453,15 +294455,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /boot @@ -294474,15 +294476,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /dev/shm @@ -294495,14 +294497,14 @@ which the system will be deployed as closely as possible. - + - + Add noexec Option to /dev/shm @@ -294515,14 +294517,14 @@ which the system will be deployed as closely as possible. - + - + Add nosuid Option to /dev/shm @@ -294535,14 +294537,14 @@ which the system will be deployed as closely as possible. - + - + Add grpquota Option to /home @@ -294555,15 +294557,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /home @@ -294576,15 +294578,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /home @@ -294597,15 +294599,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /home @@ -294618,15 +294620,15 @@ which the system will be deployed as closely as possible. - + - + - + Add usrquota Option to /home @@ -294639,15 +294641,15 @@ which the system will be deployed as closely as possible. - + - + - + Mount Remote Filesystems with Kerberos Security @@ -294661,7 +294663,7 @@ which the system will be deployed as closely as possible. - + Mount Remote Filesystems with nodev @@ -294676,7 +294678,7 @@ which the system will be deployed as closely as possible. - + Add nodev Option to Removable Media Partitions @@ -294691,14 +294693,14 @@ which the system will be deployed as closely as possible. - - + + - + - + Mount Remote Filesystems with noexec @@ -294713,7 +294715,7 @@ which the system will be deployed as closely as possible. - + Add noexec Option to Removable Media Partitions @@ -294728,14 +294730,14 @@ which the system will be deployed as closely as possible. - - + + - + - + Mount Remote Filesystems with nosuid @@ -294750,7 +294752,7 @@ which the system will be deployed as closely as possible. - + Add nosuid Option to Removable Media Partitions @@ -294765,14 +294767,14 @@ which the system will be deployed as closely as possible. - - + + - + - + Add nosuid Option to /opt @@ -294785,15 +294787,15 @@ which the system will be deployed as closely as possible. - + - + - + Add hidepid Option to /proc @@ -294806,14 +294808,14 @@ which the system will be deployed as closely as possible. - + - + Add nosuid Option to /srv @@ -294826,15 +294828,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /tmp @@ -294847,15 +294849,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /tmp @@ -294868,15 +294870,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /tmp @@ -294889,15 +294891,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /var/log/audit @@ -294910,15 +294912,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /var/log/audit @@ -294931,15 +294933,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /var/log/audit @@ -294952,15 +294954,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /var/log @@ -294973,15 +294975,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /var/log @@ -294994,15 +294996,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /var/log @@ -295015,15 +295017,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /var @@ -295036,15 +295038,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /var @@ -295057,15 +295059,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /var @@ -295078,15 +295080,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nodev Option to /var/tmp @@ -295099,15 +295101,15 @@ which the system will be deployed as closely as possible. - + - + - + Add noexec Option to /var/tmp @@ -295120,15 +295122,15 @@ which the system will be deployed as closely as possible. - + - + - + Add nosuid Option to /var/tmp @@ -295141,15 +295143,15 @@ which the system will be deployed as closely as possible. - + - + - + package_GConf2_installed @@ -295158,11 +295160,11 @@ which the system will be deployed as closely as possible.The RPM package GConf2 should be installed. - + - + Install the Host Intrusion Prevention System (HIPS) Module @@ -295171,11 +295173,11 @@ which the system will be deployed as closely as possible.The RPM package MFEhiplsm should be installed. - + - + Uninstall abrt-addon-ccpp Package @@ -295185,11 +295187,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-addon-kerneloops Package @@ -295199,11 +295201,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-cli Package @@ -295213,11 +295215,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-plugin-logger Package @@ -295227,11 +295229,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-plugin-rhtsupport Package @@ -295241,11 +295243,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall abrt-plugin-sosreport Package @@ -295255,11 +295257,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall Automatic Bug Reporting Tool (abrt) @@ -295269,11 +295271,11 @@ which the system will be deployed as closely as possible. - + - + Install AIDE @@ -295283,11 +295285,11 @@ which the system will be deployed as closely as possible. - + - + Install audispd-plugins Package @@ -295297,11 +295299,11 @@ which the system will be deployed as closely as possible. - + - + Ensure the default plugins for the audit dispatcher are Installed @@ -295310,11 +295312,11 @@ which the system will be deployed as closely as possible.The RPM package audit-audispd-plugins should be installed. - + - + Ensure the audit Subsystem is Installed @@ -295324,11 +295326,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall avahi-autoipd Server Package @@ -295338,11 +295340,11 @@ which the system will be deployed as closely as possible. - + - + package_avahi_installed @@ -295351,11 +295353,11 @@ which the system will be deployed as closely as possible.The RPM package avahi should be installed. - + - + Uninstall avahi Server Package @@ -295365,11 +295367,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall bind Package @@ -295379,11 +295381,11 @@ which the system will be deployed as closely as possible. - + - + Install binutils Package @@ -295393,11 +295395,11 @@ which the system will be deployed as closely as possible. - + - + The Chrony package is installed @@ -295407,11 +295409,11 @@ which the system will be deployed as closely as possible. - + - + Install the cron service @@ -295420,11 +295422,11 @@ which the system will be deployed as closely as possible.The RPM package cron should be installed. - + - + Install crypto-policies package @@ -295434,11 +295436,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall CUPS Package @@ -295448,11 +295450,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall cyrus-imapd Package @@ -295462,11 +295464,11 @@ which the system will be deployed as closely as possible. - + - + package_dconf_installed @@ -295475,11 +295477,11 @@ which the system will be deployed as closely as possible.The RPM package dconf should be installed. - + - + Uninstall DHCP Server Package @@ -295489,11 +295491,11 @@ which the system will be deployed as closely as possible. - + - + Install dnf-automatic Package @@ -295503,11 +295505,11 @@ which the system will be deployed as closely as possible. - + - + Install dnf-plugin-subscription-manager Package @@ -295517,11 +295519,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall dovecot Package @@ -295531,11 +295533,11 @@ which the system will be deployed as closely as possible. - + - + package_esc_installed @@ -295544,11 +295546,11 @@ which the system will be deployed as closely as possible.The RPM package esc should be installed. - + - + Install fapolicyd Package @@ -295558,11 +295560,11 @@ which the system will be deployed as closely as possible. - + - + Install firewalld Package @@ -295572,11 +295574,11 @@ which the system will be deployed as closely as possible. - + - + Remove the FreeRadius Server Package @@ -295586,11 +295588,11 @@ which the system will be deployed as closely as possible. - + - + package_gdm_installed @@ -295599,11 +295601,11 @@ which the system will be deployed as closely as possible.The RPM package gdm should be installed. - + - + Remove the GDM Package Group @@ -295613,11 +295615,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall geolite2-city Package @@ -295627,11 +295629,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall geolite2-country Package @@ -295641,11 +295643,11 @@ which the system will be deployed as closely as possible. - + - + Ensure gnutls-utils is installed @@ -295655,11 +295657,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall gssproxy Package @@ -295669,11 +295671,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall httpd Package @@ -295683,11 +295685,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall the inet-based telnet server @@ -295696,11 +295698,11 @@ which the system will be deployed as closely as possible.The RPM package inetutils-telnetd should be removed. - + - + Uninstall iprutils Package @@ -295710,11 +295712,11 @@ which the system will be deployed as closely as possible. - + - + Install iptables-services Package @@ -295724,11 +295726,11 @@ which the system will be deployed as closely as possible. - + - + Remove iptables-services Package @@ -295738,11 +295740,11 @@ which the system will be deployed as closely as possible. - + - + Install iptables Package @@ -295752,11 +295754,11 @@ which the system will be deployed as closely as possible. - + - + Remove the Kerberos Server Package @@ -295766,11 +295768,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall krb5-workstation Package @@ -295780,11 +295782,11 @@ which the system will be deployed as closely as possible. - + - + Install libcap-ng-utils Package @@ -295794,11 +295796,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall libreport-plugin-logger Package @@ -295808,11 +295810,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall libreport-plugin-rhtsupport Package @@ -295822,11 +295824,11 @@ which the system will be deployed as closely as possible. - + - + Install libreswan Package @@ -295836,11 +295838,11 @@ which the system will be deployed as closely as possible. - + - + Install libselinux Package @@ -295850,11 +295852,11 @@ which the system will be deployed as closely as possible. - + - + Ensure logrotate is Installed @@ -295864,11 +295866,11 @@ which the system will be deployed as closely as possible. - + - + The mailx Package Is Installed @@ -295878,11 +295880,11 @@ which the system will be deployed as closely as possible. - + - + Install McAfee Endpoint Security for Linux (ENSL) @@ -295892,11 +295894,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall mcstrans Package @@ -295906,11 +295908,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall net-snmp Package @@ -295920,11 +295922,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall nfs-utils Package @@ -295934,11 +295936,11 @@ which the system will be deployed as closely as possible. - + - + Install nftables Package @@ -295948,11 +295950,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall nginx Package @@ -295962,11 +295964,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall the nis package @@ -295975,11 +295977,11 @@ which the system will be deployed as closely as possible.The RPM package nis should be removed. - + - + Ensure nss-tools is installed @@ -295989,11 +295991,11 @@ which the system will be deployed as closely as possible. - + - + Install the ntp service @@ -296002,11 +296004,11 @@ which the system will be deployed as closely as possible.The RPM package ntp should be installed. - + - + Uninstall the ntpdate package @@ -296015,11 +296017,11 @@ which the system will be deployed as closely as possible.The RPM package ntpdate should be removed. - + - + Ensure LDAP client is not installed @@ -296029,11 +296031,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall openldap-servers Package @@ -296043,11 +296045,11 @@ which the system will be deployed as closely as possible. - + - + Install the opensc Package For Multifactor Authentication @@ -296057,11 +296059,11 @@ which the system will be deployed as closely as possible. - + - + Install openscap-scanner Package @@ -296071,11 +296073,11 @@ which the system will be deployed as closely as possible. - + - + Install OpenSSH client software @@ -296085,11 +296087,11 @@ which the system will be deployed as closely as possible. - + - + Install the OpenSSH Server Package @@ -296099,11 +296101,11 @@ which the system will be deployed as closely as possible. - + - + Remove the OpenSSH Server Package @@ -296112,11 +296114,11 @@ which the system will be deployed as closely as possible.The RPM package openssh-server should be removed. - + - + package_pam_ldap_removed @@ -296125,11 +296127,11 @@ which the system will be deployed as closely as possible.The RPM package pam_ldap should be removed. - + - + Install pam_pwquality Package @@ -296138,11 +296140,11 @@ which the system will be deployed as closely as possible.The RPM package libpwquality should be installed. - + - + Install the pcsc-lite package @@ -296152,11 +296154,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall pigz Package @@ -296166,11 +296168,11 @@ which the system will be deployed as closely as possible. - + - + Install policycoreutils-python-utils package @@ -296180,11 +296182,11 @@ which the system will be deployed as closely as possible. - + - + Install policycoreutils Package @@ -296194,11 +296196,11 @@ which the system will be deployed as closely as possible. - + - + The Postfix package is installed @@ -296208,11 +296210,11 @@ which the system will be deployed as closely as possible. - + - + package_prelink_removed @@ -296221,11 +296223,11 @@ which the system will be deployed as closely as possible.The RPM package prelink should be removed. - + - + Install the psacct package @@ -296235,11 +296237,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall python3-abrt-addon Package @@ -296249,11 +296251,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall quagga Package @@ -296263,11 +296265,11 @@ which the system will be deployed as closely as possible. - + - + Install rear Package @@ -296277,11 +296279,11 @@ which the system will be deployed as closely as possible. - + - + Install rng-tools Package @@ -296291,11 +296293,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall rpcbind Package @@ -296305,11 +296307,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall rsh-server Package @@ -296319,11 +296321,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall rsh Package @@ -296333,11 +296335,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall rsync Package @@ -296347,11 +296349,11 @@ which the system will be deployed as closely as possible. - + - + Ensure rsyslog-gnutls is installed @@ -296361,11 +296363,11 @@ which the system will be deployed as closely as possible. - + - + Ensure rsyslog is Installed @@ -296375,11 +296377,11 @@ which the system will be deployed as closely as possible. - + - + Install the Samba Common Package @@ -296388,11 +296390,11 @@ which the system will be deployed as closely as possible.The RPM package samba-common should be installed. - + - + package_samba-common_removed @@ -296401,11 +296403,11 @@ which the system will be deployed as closely as possible.The RPM package samba-common should be removed. - + - + Uninstall Samba Package @@ -296415,11 +296417,11 @@ which the system will be deployed as closely as possible. - + - + Install scap-security-guide Package @@ -296429,11 +296431,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall Sendmail Package @@ -296443,11 +296445,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall setroubleshoot-plugins Package @@ -296457,11 +296459,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall setroubleshoot-server Package @@ -296471,11 +296473,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall setroubleshoot Package @@ -296485,11 +296487,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall squid Package @@ -296499,11 +296501,11 @@ which the system will be deployed as closely as possible. - + - + Install sssd-ipa Package @@ -296513,11 +296515,11 @@ which the system will be deployed as closely as possible. - + - + Install the SSSD Package @@ -296527,11 +296529,11 @@ which the system will be deployed as closely as possible. - + - + Install subscription-manager Package @@ -296541,11 +296543,11 @@ which the system will be deployed as closely as possible. - + - + Install sudo Package @@ -296555,11 +296557,11 @@ which the system will be deployed as closely as possible. - + - + Ensure syslog-ng is Installed @@ -296568,11 +296570,11 @@ which the system will be deployed as closely as possible.The RPM package syslog-ng should be installed. - + - + Install systemd-journal-remote Package @@ -296581,11 +296583,11 @@ which the system will be deployed as closely as possible.The RPM package systemd-journal-remote should be installed. - + - + Uninstall talk-server Package @@ -296595,11 +296597,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall talk Package @@ -296609,11 +296611,11 @@ which the system will be deployed as closely as possible. - + - + Install tar Package @@ -296623,11 +296625,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall telnet-server Package @@ -296637,11 +296639,11 @@ which the system will be deployed as closely as possible. - + - + Remove telnet Clients @@ -296651,11 +296653,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall the ssl compliant telnet server @@ -296664,11 +296666,11 @@ which the system will be deployed as closely as possible.The RPM package telnetd-ssl should be removed. - + - + Uninstall the telnet server @@ -296678,11 +296680,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall tftp-server Package @@ -296692,11 +296694,11 @@ which the system will be deployed as closely as possible. - + - + Remove tftp Daemon @@ -296706,11 +296708,11 @@ which the system will be deployed as closely as possible. - + - + Install the tmux Package @@ -296720,11 +296722,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall tuned Package @@ -296734,11 +296736,11 @@ which the system will be deployed as closely as possible. - + - + Install usbguard Package @@ -296748,11 +296750,11 @@ which the system will be deployed as closely as possible. - + - + Install vim Package @@ -296762,11 +296764,11 @@ which the system will be deployed as closely as possible. - + - + Install vsftpd Package @@ -296776,11 +296778,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall vsftpd Package @@ -296790,11 +296792,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall xinetd Package @@ -296804,11 +296806,11 @@ which the system will be deployed as closely as possible. - + - + Remove the X Windows Package Group @@ -296818,11 +296820,11 @@ which the system will be deployed as closely as possible. - + - + Remove NIS Client @@ -296832,11 +296834,11 @@ which the system will be deployed as closely as possible. - + - + Uninstall ypserv Package @@ -296846,11 +296848,11 @@ which the system will be deployed as closely as possible. - + - + Ensure /boot Located On Separate Partition @@ -296864,11 +296866,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /dev/shm is configured @@ -296882,11 +296884,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /home Located On Separate Partition @@ -296900,11 +296902,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /opt Located On Separate Partition @@ -296918,11 +296920,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /srv Located On Separate Partition @@ -296936,11 +296938,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /tmp Located On Separate Partition @@ -296954,11 +296956,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /usr Located On Separate Partition @@ -296972,11 +296974,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /var Located On Separate Partition @@ -296990,11 +296992,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /var/log Located On Separate Partition @@ -297008,11 +297010,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /var/log/audit Located On Separate Partition @@ -297026,11 +297028,11 @@ which the system will be deployed as closely as possible. - - + + - + Ensure /var/tmp Located On Separate Partition @@ -297044,11 +297046,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. @@ -297059,14 +297061,14 @@ which the system will be deployed as closely as possible. - + - + Ensure Log Files Are Owned By Appropriate Group @@ -297077,10 +297079,10 @@ which the system will be deployed as closely as possible. - + - + Ensure Log Files Are Owned By Appropriate User @@ -297091,10 +297093,10 @@ which the system will be deployed as closely as possible. - + - + Ensure System Log Files Have Correct Permissions @@ -297105,10 +297107,10 @@ which the system will be deployed as closely as possible. - + - + Disable the abrt_anon_write SELinux Boolean @@ -297117,11 +297119,11 @@ which the system will be deployed as closely as possible.The SELinux 'abrt_anon_write' boolean should be set in the system configuration. - + - + Disable the abrt_handle_event SELinux Boolean @@ -297130,11 +297132,11 @@ which the system will be deployed as closely as possible.The SELinux 'abrt_handle_event' boolean should be set in the system configuration. - + - + Disable the abrt_upload_watch_anon_write SELinux Boolean @@ -297143,11 +297145,11 @@ which the system will be deployed as closely as possible.The SELinux 'abrt_upload_watch_anon_write' boolean should be set in the system configuration. - + - + Enable the antivirus_can_scan_system SELinux Boolean @@ -297156,11 +297158,11 @@ which the system will be deployed as closely as possible.The SELinux 'antivirus_can_scan_system' boolean should be set in the system configuration. - + - + Disable the antivirus_use_jit SELinux Boolean @@ -297169,11 +297171,11 @@ which the system will be deployed as closely as possible.The SELinux 'antivirus_use_jit' boolean should be set in the system configuration. - + - + Enable the auditadm_exec_content SELinux Boolean @@ -297183,11 +297185,11 @@ which the system will be deployed as closely as possible. - + - + Disable the authlogin_nsswitch_use_ldap SELinux Boolean @@ -297197,11 +297199,11 @@ which the system will be deployed as closely as possible. - + - + Disable the authlogin_radius SELinux Boolean @@ -297211,11 +297213,11 @@ which the system will be deployed as closely as possible. - + - + Disable the authlogin_yubikey SELinux Boolean @@ -297224,11 +297226,11 @@ which the system will be deployed as closely as possible.The SELinux 'authlogin_yubikey' boolean should be set in the system configuration. - + - + Disable the awstats_purge_apache_log_files SELinux Boolean @@ -297237,11 +297239,11 @@ which the system will be deployed as closely as possible.The SELinux 'awstats_purge_apache_log_files' boolean should be set in the system configuration. - + - + Disable the boinc_execmem SELinux Boolean @@ -297251,11 +297253,11 @@ which the system will be deployed as closely as possible. - + - + Disable the cdrecord_read_content SELinux Boolean @@ -297264,11 +297266,11 @@ which the system will be deployed as closely as possible.The SELinux 'cdrecord_read_content' boolean should be set in the system configuration. - + - + Disable the cluster_can_network_connect SELinux Boolean @@ -297277,11 +297279,11 @@ which the system will be deployed as closely as possible.The SELinux 'cluster_can_network_connect' boolean should be set in the system configuration. - + - + Disable the cluster_manage_all_files SELinux Boolean @@ -297290,11 +297292,11 @@ which the system will be deployed as closely as possible.The SELinux 'cluster_manage_all_files' boolean should be set in the system configuration. - + - + Disable the cluster_use_execmem SELinux Boolean @@ -297304,11 +297306,11 @@ which the system will be deployed as closely as possible. - + - + Disable the cobbler_anon_write SELinux Boolean @@ -297317,11 +297319,11 @@ which the system will be deployed as closely as possible.The SELinux 'cobbler_anon_write' boolean should be set in the system configuration. - + - + Disable the cobbler_can_network_connect SELinux Boolean @@ -297330,11 +297332,11 @@ which the system will be deployed as closely as possible.The SELinux 'cobbler_can_network_connect' boolean should be set in the system configuration. - + - + Disable the cobbler_use_cifs SELinux Boolean @@ -297343,11 +297345,11 @@ which the system will be deployed as closely as possible.The SELinux 'cobbler_use_cifs' boolean should be set in the system configuration. - + - + Disable the cobbler_use_nfs SELinux Boolean @@ -297356,11 +297358,11 @@ which the system will be deployed as closely as possible.The SELinux 'cobbler_use_nfs' boolean should be set in the system configuration. - + - + Disable the collectd_tcp_network_connect SELinux Boolean @@ -297369,11 +297371,11 @@ which the system will be deployed as closely as possible.The SELinux 'collectd_tcp_network_connect' boolean should be set in the system configuration. - + - + Disable the condor_tcp_network_connect SELinux Boolean @@ -297382,11 +297384,11 @@ which the system will be deployed as closely as possible.The SELinux 'condor_tcp_network_connect' boolean should be set in the system configuration. - + - + Disable the conman_can_network SELinux Boolean @@ -297395,11 +297397,11 @@ which the system will be deployed as closely as possible.The SELinux 'conman_can_network' boolean should be set in the system configuration. - + - + Disable the container_connect_any SELinux Boolean @@ -297408,11 +297410,11 @@ which the system will be deployed as closely as possible.The SELinux 'container_connect_any' boolean should be set in the system configuration. - + - + Disable the cron_can_relabel SELinux Boolean @@ -297421,11 +297423,11 @@ which the system will be deployed as closely as possible.The SELinux 'cron_can_relabel' boolean should be set in the system configuration. - + - + Disable the cron_system_cronjob_use_shares SELinux Boolean @@ -297434,11 +297436,11 @@ which the system will be deployed as closely as possible.The SELinux 'cron_system_cronjob_use_shares' boolean should be set in the system configuration. - + - + Enable the cron_userdomain_transition SELinux Boolean @@ -297447,11 +297449,11 @@ which the system will be deployed as closely as possible.The SELinux 'cron_userdomain_transition' boolean should be set in the system configuration. - + - + Disable the cups_execmem SELinux Boolean @@ -297461,11 +297463,11 @@ which the system will be deployed as closely as possible. - + - + Disable the cvs_read_shadow SELinux Boolean @@ -297474,11 +297476,11 @@ which the system will be deployed as closely as possible.The SELinux 'cvs_read_shadow' boolean should be set in the system configuration. - + - + Disable the daemons_dump_core SELinux Boolean @@ -297487,11 +297489,11 @@ which the system will be deployed as closely as possible.The SELinux 'daemons_dump_core' boolean should be set in the system configuration. - + - + Disable the daemons_enable_cluster_mode SELinux Boolean @@ -297500,11 +297502,11 @@ which the system will be deployed as closely as possible.The SELinux 'daemons_enable_cluster_mode' boolean should be set in the system configuration. - + - + Disable the daemons_use_tcp_wrapper SELinux Boolean @@ -297513,11 +297515,11 @@ which the system will be deployed as closely as possible.The SELinux 'daemons_use_tcp_wrapper' boolean should be set in the system configuration. - + - + Disable the daemons_use_tty SELinux Boolean @@ -297526,11 +297528,11 @@ which the system will be deployed as closely as possible.The SELinux 'daemons_use_tty' boolean should be set in the system configuration. - + - + Enable the dbadm_exec_content SELinux Boolean @@ -297539,11 +297541,11 @@ which the system will be deployed as closely as possible.The SELinux 'dbadm_exec_content' boolean should be set in the system configuration. - + - + Disable the dbadm_manage_user_files SELinux Boolean @@ -297552,11 +297554,11 @@ which the system will be deployed as closely as possible.The SELinux 'dbadm_manage_user_files' boolean should be set in the system configuration. - + - + Disable the dbadm_read_user_files SELinux Boolean @@ -297565,11 +297567,11 @@ which the system will be deployed as closely as possible.The SELinux 'dbadm_read_user_files' boolean should be set in the system configuration. - + - + Configure the deny_execmem SELinux Boolean @@ -297579,11 +297581,11 @@ which the system will be deployed as closely as possible. - + - + Disable the deny_ptrace SELinux Boolean @@ -297592,11 +297594,11 @@ which the system will be deployed as closely as possible.The SELinux 'deny_ptrace' boolean should be set in the system configuration. - + - + Disable the dhcpc_exec_iptables SELinux Boolean @@ -297605,11 +297607,11 @@ which the system will be deployed as closely as possible.The SELinux 'dhcpc_exec_iptables' boolean should be set in the system configuration. - + - + Disable the dhcpd_use_ldap SELinux Boolean @@ -297618,11 +297620,11 @@ which the system will be deployed as closely as possible.The SELinux 'dhcpd_use_ldap' boolean should be set in the system configuration. - + - + Enable the domain_fd_use SELinux Boolean @@ -297631,11 +297633,11 @@ which the system will be deployed as closely as possible.The SELinux 'domain_fd_use' boolean should be set in the system configuration. - + - + Disable the domain_kernel_load_modules SELinux Boolean @@ -297644,11 +297646,11 @@ which the system will be deployed as closely as possible.The SELinux 'domain_kernel_load_modules' boolean should be set in the system configuration. - + - + Disable the entropyd_use_audio SELinux Boolean @@ -297657,11 +297659,11 @@ which the system will be deployed as closely as possible.The SELinux 'entropyd_use_audio' boolean should be set in the system configuration. - + - + Disable the exim_can_connect_db SELinux Boolean @@ -297670,11 +297672,11 @@ which the system will be deployed as closely as possible.The SELinux 'exim_can_connect_db' boolean should be set in the system configuration. - + - + Disable the exim_manage_user_files SELinux Boolean @@ -297683,11 +297685,11 @@ which the system will be deployed as closely as possible.The SELinux 'exim_manage_user_files' boolean should be set in the system configuration. - + - + Disable the exim_read_user_files SELinux Boolean @@ -297696,11 +297698,11 @@ which the system will be deployed as closely as possible.The SELinux 'exim_read_user_files' boolean should be set in the system configuration. - + - + Disable the fcron_crond SELinux Boolean @@ -297709,11 +297711,11 @@ which the system will be deployed as closely as possible.The SELinux 'fcron_crond' boolean should be set in the system configuration. - + - + Disable the fenced_can_network_connect SELinux Boolean @@ -297722,11 +297724,11 @@ which the system will be deployed as closely as possible.The SELinux 'fenced_can_network_connect' boolean should be set in the system configuration. - + - + Disable the fenced_can_ssh SELinux Boolean @@ -297735,11 +297737,11 @@ which the system will be deployed as closely as possible.The SELinux 'fenced_can_ssh' boolean should be set in the system configuration. - + - + Enable the fips_mode SELinux Boolean @@ -297748,11 +297750,11 @@ which the system will be deployed as closely as possible.The SELinux 'fips_mode' boolean should be set in the system configuration. - + - + Disable the ftpd_anon_write SELinux Boolean @@ -297761,11 +297763,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_anon_write' boolean should be set in the system configuration. - + - + Disable the ftpd_connect_all_unreserved SELinux Boolean @@ -297774,11 +297776,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_connect_all_unreserved' boolean should be set in the system configuration. - + - + Disable the ftpd_connect_db SELinux Boolean @@ -297787,11 +297789,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_connect_db' boolean should be set in the system configuration. - + - + Disable the ftpd_full_access SELinux Boolean @@ -297800,11 +297802,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_full_access' boolean should be set in the system configuration. - + - + Disable the ftpd_use_cifs SELinux Boolean @@ -297813,11 +297815,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_use_cifs' boolean should be set in the system configuration. - + - + Disable the ftpd_use_fusefs SELinux Boolean @@ -297826,11 +297828,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_use_fusefs' boolean should be set in the system configuration. - + - + Disable the ftpd_use_nfs SELinux Boolean @@ -297839,11 +297841,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_use_nfs' boolean should be set in the system configuration. - + - + Disable the ftpd_use_passive_mode SELinux Boolean @@ -297852,11 +297854,11 @@ which the system will be deployed as closely as possible.The SELinux 'ftpd_use_passive_mode' boolean should be set in the system configuration. - + - + Disable the git_cgi_enable_homedirs SELinux Boolean @@ -297865,11 +297867,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_cgi_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the git_cgi_use_cifs SELinux Boolean @@ -297878,11 +297880,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_cgi_use_cifs' boolean should be set in the system configuration. - + - + Disable the git_cgi_use_nfs SELinux Boolean @@ -297891,11 +297893,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_cgi_use_nfs' boolean should be set in the system configuration. - + - + Disable the git_session_bind_all_unreserved_ports SELinux Boolean @@ -297904,11 +297906,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_session_bind_all_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the git_session_users SELinux Boolean @@ -297917,11 +297919,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_session_users' boolean should be set in the system configuration. - + - + Disable the git_system_enable_homedirs SELinux Boolean @@ -297930,11 +297932,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_system_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the git_system_use_cifs SELinux Boolean @@ -297943,11 +297945,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_system_use_cifs' boolean should be set in the system configuration. - + - + Disable the git_system_use_nfs SELinux Boolean @@ -297956,11 +297958,11 @@ which the system will be deployed as closely as possible.The SELinux 'git_system_use_nfs' boolean should be set in the system configuration. - + - + Disable the gitosis_can_sendmail SELinux Boolean @@ -297969,11 +297971,11 @@ which the system will be deployed as closely as possible.The SELinux 'gitosis_can_sendmail' boolean should be set in the system configuration. - + - + Disable the glance_api_can_network SELinux Boolean @@ -297982,11 +297984,11 @@ which the system will be deployed as closely as possible.The SELinux 'glance_api_can_network' boolean should be set in the system configuration. - + - + Disable the glance_use_execmem SELinux Boolean @@ -297996,11 +297998,11 @@ which the system will be deployed as closely as possible. - + - + Disable the glance_use_fusefs SELinux Boolean @@ -298009,11 +298011,11 @@ which the system will be deployed as closely as possible.The SELinux 'glance_use_fusefs' boolean should be set in the system configuration. - + - + Disable the global_ssp SELinux Boolean @@ -298022,11 +298024,11 @@ which the system will be deployed as closely as possible.The SELinux 'global_ssp' boolean should be set in the system configuration. - + - + Disable the gluster_anon_write SELinux Boolean @@ -298035,11 +298037,11 @@ which the system will be deployed as closely as possible.The SELinux 'gluster_anon_write' boolean should be set in the system configuration. - + - + Disable the gluster_export_all_ro SELinux Boolean @@ -298048,11 +298050,11 @@ which the system will be deployed as closely as possible.The SELinux 'gluster_export_all_ro' boolean should be set in the system configuration. - + - + Configure the gluster_export_all_rw SELinux Boolean @@ -298061,11 +298063,11 @@ which the system will be deployed as closely as possible.The SELinux 'gluster_export_all_rw' boolean should be set in the system configuration. - + - + Disable the gpg_web_anon_write SELinux Boolean @@ -298074,11 +298076,11 @@ which the system will be deployed as closely as possible.The SELinux 'gpg_web_anon_write' boolean should be set in the system configuration. - + - + Enable the gssd_read_tmp SELinux Boolean @@ -298087,11 +298089,11 @@ which the system will be deployed as closely as possible.The SELinux 'gssd_read_tmp' boolean should be set in the system configuration. - + - + Disable the guest_exec_content SELinux Boolean @@ -298100,11 +298102,11 @@ which the system will be deployed as closely as possible.The SELinux 'guest_exec_content' boolean should be set in the system configuration. - + - + Disable the haproxy_connect_any SELinux Boolean @@ -298113,11 +298115,11 @@ which the system will be deployed as closely as possible.The SELinux 'haproxy_connect_any' boolean should be set in the system configuration. - + - + Disable the httpd_anon_write SELinux Boolean @@ -298126,11 +298128,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_anon_write' boolean should be set in the system configuration. - + - + Configure the httpd_builtin_scripting SELinux Boolean @@ -298139,11 +298141,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_builtin_scripting' boolean should be set in the system configuration. - + - + Disable the httpd_can_check_spam SELinux Boolean @@ -298152,11 +298154,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_check_spam' boolean should be set in the system configuration. - + - + Disable the httpd_can_connect_ftp SELinux Boolean @@ -298165,11 +298167,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_connect_ftp' boolean should be set in the system configuration. - + - + Disable the httpd_can_connect_ldap SELinux Boolean @@ -298178,11 +298180,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_connect_ldap' boolean should be set in the system configuration. - + - + Disable the httpd_can_connect_mythtv SELinux Boolean @@ -298191,11 +298193,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_connect_mythtv' boolean should be set in the system configuration. - + - + Disable the httpd_can_connect_zabbix SELinux Boolean @@ -298204,11 +298206,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_connect_zabbix' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_connect SELinux Boolean @@ -298217,11 +298219,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_connect' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_connect_cobbler SELinux Boolean @@ -298230,11 +298232,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_connect_cobbler' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_connect_db SELinux Boolean @@ -298243,11 +298245,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_connect_db' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_memcache SELinux Boolean @@ -298256,11 +298258,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_memcache' boolean should be set in the system configuration. - + - + Disable the httpd_can_network_relay SELinux Boolean @@ -298269,11 +298271,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_network_relay' boolean should be set in the system configuration. - + - + Disable the httpd_can_sendmail SELinux Boolean @@ -298282,11 +298284,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_can_sendmail' boolean should be set in the system configuration. - + - + Disable the httpd_dbus_avahi SELinux Boolean @@ -298295,11 +298297,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_dbus_avahi' boolean should be set in the system configuration. - + - + Disable the httpd_dbus_sssd SELinux Boolean @@ -298308,11 +298310,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_dbus_sssd' boolean should be set in the system configuration. - + - + Disable the httpd_dontaudit_search_dirs SELinux Boolean @@ -298321,11 +298323,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_dontaudit_search_dirs' boolean should be set in the system configuration. - + - + Configure the httpd_enable_cgi SELinux Boolean @@ -298334,11 +298336,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_enable_cgi' boolean should be set in the system configuration. - + - + Disable the httpd_enable_ftp_server SELinux Boolean @@ -298347,11 +298349,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_enable_ftp_server' boolean should be set in the system configuration. - + - + Disable the httpd_enable_homedirs SELinux Boolean @@ -298360,11 +298362,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the httpd_execmem SELinux Boolean @@ -298374,11 +298376,11 @@ which the system will be deployed as closely as possible. - + - + Enable the httpd_graceful_shutdown SELinux Boolean @@ -298387,11 +298389,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_graceful_shutdown' boolean should be set in the system configuration. - + - + Disable the httpd_manage_ipa SELinux Boolean @@ -298400,11 +298402,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_manage_ipa' boolean should be set in the system configuration. - + - + Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean @@ -298413,11 +298415,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_mod_auth_ntlm_winbind' boolean should be set in the system configuration. - + - + Disable the httpd_mod_auth_pam SELinux Boolean @@ -298426,11 +298428,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_mod_auth_pam' boolean should be set in the system configuration. - + - + Disable the httpd_read_user_content SELinux Boolean @@ -298439,11 +298441,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_read_user_content' boolean should be set in the system configuration. - + - + Disable the httpd_run_ipa SELinux Boolean @@ -298452,11 +298454,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_run_ipa' boolean should be set in the system configuration. - + - + Disable the httpd_run_preupgrade SELinux Boolean @@ -298465,11 +298467,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_run_preupgrade' boolean should be set in the system configuration. - + - + Disable the httpd_run_stickshift SELinux Boolean @@ -298478,11 +298480,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_run_stickshift' boolean should be set in the system configuration. - + - + Disable the httpd_serve_cobbler_files SELinux Boolean @@ -298491,11 +298493,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_serve_cobbler_files' boolean should be set in the system configuration. - + - + Disable the httpd_setrlimit SELinux Boolean @@ -298504,11 +298506,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_setrlimit' boolean should be set in the system configuration. - + - + Disable the httpd_ssi_exec SELinux Boolean @@ -298517,11 +298519,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_ssi_exec' boolean should be set in the system configuration. - + - + Disable the httpd_sys_script_anon_write SELinux Boolean @@ -298530,11 +298532,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_sys_script_anon_write' boolean should be set in the system configuration. - + - + Disable the httpd_tmp_exec SELinux Boolean @@ -298543,11 +298545,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_tmp_exec' boolean should be set in the system configuration. - + - + Disable the httpd_tty_comm SELinux Boolean @@ -298556,11 +298558,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_tty_comm' boolean should be set in the system configuration. - + - + Disable the httpd_unified SELinux Boolean @@ -298569,11 +298571,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_unified' boolean should be set in the system configuration. - + - + Disable the httpd_use_cifs SELinux Boolean @@ -298582,11 +298584,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_cifs' boolean should be set in the system configuration. - + - + Disable the httpd_use_fusefs SELinux Boolean @@ -298595,11 +298597,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_fusefs' boolean should be set in the system configuration. - + - + Disable the httpd_use_gpg SELinux Boolean @@ -298608,11 +298610,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_gpg' boolean should be set in the system configuration. - + - + Disable the httpd_use_nfs SELinux Boolean @@ -298621,11 +298623,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_nfs' boolean should be set in the system configuration. - + - + Disable the httpd_use_openstack SELinux Boolean @@ -298634,11 +298636,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_openstack' boolean should be set in the system configuration. - + - + Disable the httpd_use_sasl SELinux Boolean @@ -298647,11 +298649,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_use_sasl' boolean should be set in the system configuration. - + - + Disable the httpd_verify_dns SELinux Boolean @@ -298660,11 +298662,11 @@ which the system will be deployed as closely as possible.The SELinux 'httpd_verify_dns' boolean should be set in the system configuration. - + - + Disable the icecast_use_any_tcp_ports SELinux Boolean @@ -298673,11 +298675,11 @@ which the system will be deployed as closely as possible.The SELinux 'icecast_use_any_tcp_ports' boolean should be set in the system configuration. - + - + Disable the irc_use_any_tcp_ports SELinux Boolean @@ -298686,11 +298688,11 @@ which the system will be deployed as closely as possible.The SELinux 'irc_use_any_tcp_ports' boolean should be set in the system configuration. - + - + Disable the irssi_use_full_network SELinux Boolean @@ -298699,11 +298701,11 @@ which the system will be deployed as closely as possible.The SELinux 'irssi_use_full_network' boolean should be set in the system configuration. - + - + Disable the kdumpgui_run_bootloader SELinux Boolean @@ -298712,11 +298714,11 @@ which the system will be deployed as closely as possible.The SELinux 'kdumpgui_run_bootloader' boolean should be set in the system configuration. - + - + Enable the kerberos_enabled SELinux Boolean @@ -298726,11 +298728,11 @@ which the system will be deployed as closely as possible. - + - + Disable the ksmtuned_use_cifs SELinux Boolean @@ -298739,11 +298741,11 @@ which the system will be deployed as closely as possible.The SELinux 'ksmtuned_use_cifs' boolean should be set in the system configuration. - + - + Disable the ksmtuned_use_nfs SELinux Boolean @@ -298752,11 +298754,11 @@ which the system will be deployed as closely as possible.The SELinux 'ksmtuned_use_nfs' boolean should be set in the system configuration. - + - + Enable the logadm_exec_content SELinux Boolean @@ -298765,11 +298767,11 @@ which the system will be deployed as closely as possible.The SELinux 'logadm_exec_content' boolean should be set in the system configuration. - + - + Disable the logging_syslogd_can_sendmail SELinux Boolean @@ -298778,11 +298780,11 @@ which the system will be deployed as closely as possible.The SELinux 'logging_syslogd_can_sendmail' boolean should be set in the system configuration. - + - + Disable the logging_syslogd_run_nagios_plugins SELinux Boolean @@ -298791,11 +298793,11 @@ which the system will be deployed as closely as possible.The SELinux 'logging_syslogd_run_nagios_plugins' boolean should be set in the system configuration. - + - + Enable the logging_syslogd_use_tty SELinux Boolean @@ -298804,11 +298806,11 @@ which the system will be deployed as closely as possible.The SELinux 'logging_syslogd_use_tty' boolean should be set in the system configuration. - + - + Enable the login_console_enabled SELinux Boolean @@ -298817,11 +298819,11 @@ which the system will be deployed as closely as possible.The SELinux 'login_console_enabled' boolean should be set in the system configuration. - + - + Disable the logrotate_use_nfs SELinux Boolean @@ -298830,11 +298832,11 @@ which the system will be deployed as closely as possible.The SELinux 'logrotate_use_nfs' boolean should be set in the system configuration. - + - + Disable the logwatch_can_network_connect_mail SELinux Boolean @@ -298843,11 +298845,11 @@ which the system will be deployed as closely as possible.The SELinux 'logwatch_can_network_connect_mail' boolean should be set in the system configuration. - + - + Disable the lsmd_plugin_connect_any SELinux Boolean @@ -298856,11 +298858,11 @@ which the system will be deployed as closely as possible.The SELinux 'lsmd_plugin_connect_any' boolean should be set in the system configuration. - + - + Disable the mailman_use_fusefs SELinux Boolean @@ -298869,11 +298871,11 @@ which the system will be deployed as closely as possible.The SELinux 'mailman_use_fusefs' boolean should be set in the system configuration. - + - + Disable the mcelog_client SELinux Boolean @@ -298882,11 +298884,11 @@ which the system will be deployed as closely as possible.The SELinux 'mcelog_client' boolean should be set in the system configuration. - + - + Enable the mcelog_exec_scripts SELinux Boolean @@ -298895,11 +298897,11 @@ which the system will be deployed as closely as possible.The SELinux 'mcelog_exec_scripts' boolean should be set in the system configuration. - + - + Disable the mcelog_foreground SELinux Boolean @@ -298908,11 +298910,11 @@ which the system will be deployed as closely as possible.The SELinux 'mcelog_foreground' boolean should be set in the system configuration. - + - + Disable the mcelog_server SELinux Boolean @@ -298921,11 +298923,11 @@ which the system will be deployed as closely as possible.The SELinux 'mcelog_server' boolean should be set in the system configuration. - + - + Disable the minidlna_read_generic_user_content SELinux Boolean @@ -298934,11 +298936,11 @@ which the system will be deployed as closely as possible.The SELinux 'minidlna_read_generic_user_content' boolean should be set in the system configuration. - + - + Disable the mmap_low_allowed SELinux Boolean @@ -298947,11 +298949,11 @@ which the system will be deployed as closely as possible.The SELinux 'mmap_low_allowed' boolean should be set in the system configuration. - + - + Disable the mock_enable_homedirs SELinux Boolean @@ -298960,11 +298962,11 @@ which the system will be deployed as closely as possible.The SELinux 'mock_enable_homedirs' boolean should be set in the system configuration. - + - + Enable the mount_anyfile SELinux Boolean @@ -298973,11 +298975,11 @@ which the system will be deployed as closely as possible.The SELinux 'mount_anyfile' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean @@ -298986,11 +298988,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_bind_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_can_network_connect SELinux Boolean @@ -298999,11 +299001,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_can_network_connect' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_use_bluejeans SELinux Boolean @@ -299012,11 +299014,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_use_bluejeans' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_use_gps SELinux Boolean @@ -299025,11 +299027,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_use_gps' boolean should be set in the system configuration. - + - + Disable the mozilla_plugin_use_spice SELinux Boolean @@ -299038,11 +299040,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_plugin_use_spice' boolean should be set in the system configuration. - + - + Disable the mozilla_read_content SELinux Boolean @@ -299051,11 +299053,11 @@ which the system will be deployed as closely as possible.The SELinux 'mozilla_read_content' boolean should be set in the system configuration. - + - + Disable the mpd_enable_homedirs SELinux Boolean @@ -299064,11 +299066,11 @@ which the system will be deployed as closely as possible.The SELinux 'mpd_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the mpd_use_cifs SELinux Boolean @@ -299077,11 +299079,11 @@ which the system will be deployed as closely as possible.The SELinux 'mpd_use_cifs' boolean should be set in the system configuration. - + - + Disable the mpd_use_nfs SELinux Boolean @@ -299090,11 +299092,11 @@ which the system will be deployed as closely as possible.The SELinux 'mpd_use_nfs' boolean should be set in the system configuration. - + - + Disable the mplayer_execstack SELinux Boolean @@ -299103,11 +299105,11 @@ which the system will be deployed as closely as possible.The SELinux 'mplayer_execstack' boolean should be set in the system configuration. - + - + Disable the mysql_connect_any SELinux Boolean @@ -299116,11 +299118,11 @@ which the system will be deployed as closely as possible.The SELinux 'mysql_connect_any' boolean should be set in the system configuration. - + - + Disable the nagios_run_pnp4nagios SELinux Boolean @@ -299129,11 +299131,11 @@ which the system will be deployed as closely as possible.The SELinux 'nagios_run_pnp4nagios' boolean should be set in the system configuration. - + - + Disable the nagios_run_sudo SELinux Boolean @@ -299142,11 +299144,11 @@ which the system will be deployed as closely as possible.The SELinux 'nagios_run_sudo' boolean should be set in the system configuration. - + - + Disable the named_tcp_bind_http_port SELinux Boolean @@ -299155,11 +299157,11 @@ which the system will be deployed as closely as possible.The SELinux 'named_tcp_bind_http_port' boolean should be set in the system configuration. - + - + Disable the named_write_master_zones SELinux Boolean @@ -299168,11 +299170,11 @@ which the system will be deployed as closely as possible.The SELinux 'named_write_master_zones' boolean should be set in the system configuration. - + - + Disable the neutron_can_network SELinux Boolean @@ -299181,11 +299183,11 @@ which the system will be deployed as closely as possible.The SELinux 'neutron_can_network' boolean should be set in the system configuration. - + - + Enable the nfs_export_all_ro SELinux Boolean @@ -299194,11 +299196,11 @@ which the system will be deployed as closely as possible.The SELinux 'nfs_export_all_ro' boolean should be set in the system configuration. - + - + Enable the nfs_export_all_rw SELinux Boolean @@ -299207,11 +299209,11 @@ which the system will be deployed as closely as possible.The SELinux 'nfs_export_all_rw' boolean should be set in the system configuration. - + - + Disable the nfsd_anon_write SELinux Boolean @@ -299220,11 +299222,11 @@ which the system will be deployed as closely as possible.The SELinux 'nfsd_anon_write' boolean should be set in the system configuration. - + - + Disable the nis_enabled SELinux Boolean @@ -299233,11 +299235,11 @@ which the system will be deployed as closely as possible.The SELinux 'nis_enabled' boolean should be set in the system configuration. - + - + Enable the nscd_use_shm SELinux Boolean @@ -299246,11 +299248,11 @@ which the system will be deployed as closely as possible.The SELinux 'nscd_use_shm' boolean should be set in the system configuration. - + - + Disable the openshift_use_nfs SELinux Boolean @@ -299259,11 +299261,11 @@ which the system will be deployed as closely as possible.The SELinux 'openshift_use_nfs' boolean should be set in the system configuration. - + - + Disable the openvpn_can_network_connect SELinux Boolean @@ -299272,11 +299274,11 @@ which the system will be deployed as closely as possible.The SELinux 'openvpn_can_network_connect' boolean should be set in the system configuration. - + - + Disable the openvpn_enable_homedirs SELinux Boolean @@ -299285,11 +299287,11 @@ which the system will be deployed as closely as possible.The SELinux 'openvpn_enable_homedirs' boolean should be set in the system configuration. - + - + Disable the openvpn_run_unconfined SELinux Boolean @@ -299298,11 +299300,11 @@ which the system will be deployed as closely as possible.The SELinux 'openvpn_run_unconfined' boolean should be set in the system configuration. - + - + Disable the pcp_bind_all_unreserved_ports SELinux Boolean @@ -299311,11 +299313,11 @@ which the system will be deployed as closely as possible.The SELinux 'pcp_bind_all_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the pcp_read_generic_logs SELinux Boolean @@ -299324,11 +299326,11 @@ which the system will be deployed as closely as possible.The SELinux 'pcp_read_generic_logs' boolean should be set in the system configuration. - + - + Disable the piranha_lvs_can_network_connect SELinux Boolean @@ -299337,11 +299339,11 @@ which the system will be deployed as closely as possible.The SELinux 'piranha_lvs_can_network_connect' boolean should be set in the system configuration. - + - + Disable the polipo_connect_all_unreserved SELinux Boolean @@ -299350,11 +299352,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_connect_all_unreserved' boolean should be set in the system configuration. - + - + Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean @@ -299363,11 +299365,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_session_bind_all_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the polipo_session_users SELinux Boolean @@ -299376,11 +299378,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_session_users' boolean should be set in the system configuration. - + - + Disable the polipo_use_cifs SELinux Boolean @@ -299389,11 +299391,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_use_cifs' boolean should be set in the system configuration. - + - + Disable the polipo_use_nfs SELinux Boolean @@ -299402,11 +299404,11 @@ which the system will be deployed as closely as possible.The SELinux 'polipo_use_nfs' boolean should be set in the system configuration. - + - + Configure the polyinstantiation_enabled SELinux Boolean @@ -299416,11 +299418,11 @@ which the system will be deployed as closely as possible. - + - + Enable the postfix_local_write_mail_spool SELinux Boolean @@ -299429,11 +299431,11 @@ which the system will be deployed as closely as possible.The SELinux 'postfix_local_write_mail_spool' boolean should be set in the system configuration. - + - + Disable the postgresql_can_rsync SELinux Boolean @@ -299442,11 +299444,11 @@ which the system will be deployed as closely as possible.The SELinux 'postgresql_can_rsync' boolean should be set in the system configuration. - + - + Disable the postgresql_selinux_transmit_client_label SELinux Boolean @@ -299455,11 +299457,11 @@ which the system will be deployed as closely as possible.The SELinux 'postgresql_selinux_transmit_client_label' boolean should be set in the system configuration. - + - + Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean @@ -299468,11 +299470,11 @@ which the system will be deployed as closely as possible.The SELinux 'postgresql_selinux_unconfined_dbadm' boolean should be set in the system configuration. - + - + Enable the postgresql_selinux_users_ddl SELinux Boolean @@ -299481,11 +299483,11 @@ which the system will be deployed as closely as possible.The SELinux 'postgresql_selinux_users_ddl' boolean should be set in the system configuration. - + - + Disable the pppd_can_insmod SELinux Boolean @@ -299494,11 +299496,11 @@ which the system will be deployed as closely as possible.The SELinux 'pppd_can_insmod' boolean should be set in the system configuration. - + - + Disable the pppd_for_user SELinux Boolean @@ -299507,11 +299509,11 @@ which the system will be deployed as closely as possible.The SELinux 'pppd_for_user' boolean should be set in the system configuration. - + - + Disable the privoxy_connect_any SELinux Boolean @@ -299520,11 +299522,11 @@ which the system will be deployed as closely as possible.The SELinux 'privoxy_connect_any' boolean should be set in the system configuration. - + - + Disable the prosody_bind_http_port SELinux Boolean @@ -299533,11 +299535,11 @@ which the system will be deployed as closely as possible.The SELinux 'prosody_bind_http_port' boolean should be set in the system configuration. - + - + Disable the puppetagent_manage_all_files SELinux Boolean @@ -299546,11 +299548,11 @@ which the system will be deployed as closely as possible.The SELinux 'puppetagent_manage_all_files' boolean should be set in the system configuration. - + - + Disable the puppetmaster_use_db SELinux Boolean @@ -299559,11 +299561,11 @@ which the system will be deployed as closely as possible.The SELinux 'puppetmaster_use_db' boolean should be set in the system configuration. - + - + Disable the racoon_read_shadow SELinux Boolean @@ -299572,11 +299574,11 @@ which the system will be deployed as closely as possible.The SELinux 'racoon_read_shadow' boolean should be set in the system configuration. - + - + Disable the rsync_anon_write SELinux Boolean @@ -299585,11 +299587,11 @@ which the system will be deployed as closely as possible.The SELinux 'rsync_anon_write' boolean should be set in the system configuration. - + - + Disable the rsync_client SELinux Boolean @@ -299598,11 +299600,11 @@ which the system will be deployed as closely as possible.The SELinux 'rsync_client' boolean should be set in the system configuration. - + - + Disable the rsync_export_all_ro SELinux Boolean @@ -299611,11 +299613,11 @@ which the system will be deployed as closely as possible.The SELinux 'rsync_export_all_ro' boolean should be set in the system configuration. - + - + Disable the rsync_full_access SELinux Boolean @@ -299624,11 +299626,11 @@ which the system will be deployed as closely as possible.The SELinux 'rsync_full_access' boolean should be set in the system configuration. - + - + Disable the samba_create_home_dirs SELinux Boolean @@ -299637,11 +299639,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_create_home_dirs' boolean should be set in the system configuration. - + - + Disable the samba_domain_controller SELinux Boolean @@ -299650,11 +299652,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_domain_controller' boolean should be set in the system configuration. - + - + Disable the samba_enable_home_dirs SELinux Boolean @@ -299663,11 +299665,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_enable_home_dirs' boolean should be set in the system configuration. - + - + Disable the samba_export_all_ro SELinux Boolean @@ -299676,11 +299678,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_export_all_ro' boolean should be set in the system configuration. - + - + Disable the samba_export_all_rw SELinux Boolean @@ -299689,11 +299691,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_export_all_rw' boolean should be set in the system configuration. - + - + Disable the samba_load_libgfapi SELinux Boolean @@ -299702,11 +299704,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_load_libgfapi' boolean should be set in the system configuration. - + - + Disable the samba_portmapper SELinux Boolean @@ -299715,11 +299717,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_portmapper' boolean should be set in the system configuration. - + - + Disable the samba_run_unconfined SELinux Boolean @@ -299728,11 +299730,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_run_unconfined' boolean should be set in the system configuration. - + - + Disable the samba_share_fusefs SELinux Boolean @@ -299741,11 +299743,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_share_fusefs' boolean should be set in the system configuration. - + - + Disable the samba_share_nfs SELinux Boolean @@ -299754,11 +299756,11 @@ which the system will be deployed as closely as possible.The SELinux 'samba_share_nfs' boolean should be set in the system configuration. - + - + Disable the sanlock_use_fusefs SELinux Boolean @@ -299767,11 +299769,11 @@ which the system will be deployed as closely as possible.The SELinux 'sanlock_use_fusefs' boolean should be set in the system configuration. - + - + Disable the sanlock_use_nfs SELinux Boolean @@ -299780,11 +299782,11 @@ which the system will be deployed as closely as possible.The SELinux 'sanlock_use_nfs' boolean should be set in the system configuration. - + - + Disable the sanlock_use_samba SELinux Boolean @@ -299793,11 +299795,11 @@ which the system will be deployed as closely as possible.The SELinux 'sanlock_use_samba' boolean should be set in the system configuration. - + - + Disable the saslauthd_read_shadow SELinux Boolean @@ -299806,11 +299808,11 @@ which the system will be deployed as closely as possible.The SELinux 'saslauthd_read_shadow' boolean should be set in the system configuration. - + - + Enable the secadm_exec_content SELinux Boolean @@ -299819,11 +299821,11 @@ which the system will be deployed as closely as possible.The SELinux 'secadm_exec_content' boolean should be set in the system configuration. - + - + Disable the secure_mode SELinux Boolean @@ -299832,11 +299834,11 @@ which the system will be deployed as closely as possible.The SELinux 'secure_mode' boolean should be set in the system configuration. - + - + Configure the secure_mode_insmod SELinux Boolean @@ -299846,11 +299848,11 @@ which the system will be deployed as closely as possible. - + - + Disable the secure_mode_policyload SELinux Boolean @@ -299859,11 +299861,11 @@ which the system will be deployed as closely as possible.The SELinux 'secure_mode_policyload' boolean should be set in the system configuration. - + - + Configure the selinuxuser_direct_dri_enabled SELinux Boolean @@ -299872,11 +299874,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_direct_dri_enabled' boolean should be set in the system configuration. - + - + Disable the selinuxuser_execheap SELinux Boolean @@ -299886,11 +299888,11 @@ which the system will be deployed as closely as possible. - + - + Enable the selinuxuser_execmod SELinux Boolean @@ -299900,11 +299902,11 @@ which the system will be deployed as closely as possible. - + - + Disable the selinuxuser_execstack SELinux Boolean @@ -299914,11 +299916,11 @@ which the system will be deployed as closely as possible. - + - + Disable the selinuxuser_mysql_connect_enabled SELinux Boolean @@ -299927,11 +299929,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_mysql_connect_enabled' boolean should be set in the system configuration. - + - + Enable the selinuxuser_ping SELinux Boolean @@ -299940,11 +299942,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_ping' boolean should be set in the system configuration. - + - + Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean @@ -299953,11 +299955,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_postgresql_connect_enabled' boolean should be set in the system configuration. - + - + Disable the selinuxuser_rw_noexattrfile SELinux Boolean @@ -299966,11 +299968,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_rw_noexattrfile' boolean should be set in the system configuration. - + - + Disable the selinuxuser_share_music SELinux Boolean @@ -299979,11 +299981,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_share_music' boolean should be set in the system configuration. - + - + Disable the selinuxuser_tcp_server SELinux Boolean @@ -299992,11 +299994,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_tcp_server' boolean should be set in the system configuration. - + - + Disable the selinuxuser_udp_server SELinux Boolean @@ -300005,11 +300007,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_udp_server' boolean should be set in the system configuration. - + - + Disable the selinuxuser_use_ssh_chroot SELinux Boolean @@ -300018,11 +300020,11 @@ which the system will be deployed as closely as possible.The SELinux 'selinuxuser_use_ssh_chroot' boolean should be set in the system configuration. - + - + Disable the sge_domain_can_network_connect SELinux Boolean @@ -300031,11 +300033,11 @@ which the system will be deployed as closely as possible.The SELinux 'sge_domain_can_network_connect' boolean should be set in the system configuration. - + - + Disable the sge_use_nfs SELinux Boolean @@ -300044,11 +300046,11 @@ which the system will be deployed as closely as possible.The SELinux 'sge_use_nfs' boolean should be set in the system configuration. - + - + Disable the smartmon_3ware SELinux Boolean @@ -300057,11 +300059,11 @@ which the system will be deployed as closely as possible.The SELinux 'smartmon_3ware' boolean should be set in the system configuration. - + - + Disable the smbd_anon_write SELinux Boolean @@ -300070,11 +300072,11 @@ which the system will be deployed as closely as possible.The SELinux 'smbd_anon_write' boolean should be set in the system configuration. - + - + Disable the spamassassin_can_network SELinux Boolean @@ -300083,11 +300085,11 @@ which the system will be deployed as closely as possible.The SELinux 'spamassassin_can_network' boolean should be set in the system configuration. - + - + Enable the spamd_enable_home_dirs SELinux Boolean @@ -300096,11 +300098,11 @@ which the system will be deployed as closely as possible.The SELinux 'spamd_enable_home_dirs' boolean should be set in the system configuration. - + - + Disable the squid_connect_any SELinux Boolean @@ -300109,11 +300111,11 @@ which the system will be deployed as closely as possible.The SELinux 'squid_connect_any' boolean should be set in the system configuration. - + - + Disable the squid_use_tproxy SELinux Boolean @@ -300122,11 +300124,11 @@ which the system will be deployed as closely as possible.The SELinux 'squid_use_tproxy' boolean should be set in the system configuration. - + - + Disable the ssh_chroot_rw_homedirs SELinux Boolean @@ -300135,11 +300137,11 @@ which the system will be deployed as closely as possible.The SELinux 'ssh_chroot_rw_homedirs' boolean should be set in the system configuration. - + - + Disable the ssh_keysign SELinux Boolean @@ -300148,11 +300150,11 @@ which the system will be deployed as closely as possible.The SELinux 'ssh_keysign' boolean should be set in the system configuration. - + - + Disable the ssh_sysadm_login SELinux Boolean @@ -300162,11 +300164,11 @@ which the system will be deployed as closely as possible. - + - + Enable the staff_exec_content SELinux Boolean @@ -300175,11 +300177,11 @@ which the system will be deployed as closely as possible.The SELinux 'staff_exec_content' boolean should be set in the system configuration. - + - + Disable the staff_use_svirt SELinux Boolean @@ -300188,11 +300190,11 @@ which the system will be deployed as closely as possible.The SELinux 'staff_use_svirt' boolean should be set in the system configuration. - + - + Disable the swift_can_network SELinux Boolean @@ -300201,11 +300203,11 @@ which the system will be deployed as closely as possible.The SELinux 'swift_can_network' boolean should be set in the system configuration. - + - + Enable the sysadm_exec_content SELinux Boolean @@ -300214,11 +300216,11 @@ which the system will be deployed as closely as possible.The SELinux 'sysadm_exec_content' boolean should be set in the system configuration. - + - + Disable the telepathy_connect_all_ports SELinux Boolean @@ -300227,11 +300229,11 @@ which the system will be deployed as closely as possible.The SELinux 'telepathy_connect_all_ports' boolean should be set in the system configuration. - + - + Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean @@ -300240,11 +300242,11 @@ which the system will be deployed as closely as possible.The SELinux 'telepathy_tcp_connect_generic_network_ports' boolean should be set in the system configuration. - + - + Disable the tftp_anon_write SELinux Boolean @@ -300253,11 +300255,11 @@ which the system will be deployed as closely as possible.The SELinux 'tftp_anon_write' boolean should be set in the system configuration. - + - + Disable the tftp_home_dir SELinux Boolean @@ -300266,11 +300268,11 @@ which the system will be deployed as closely as possible.The SELinux 'tftp_home_dir' boolean should be set in the system configuration. - + - + Disable the tmpreaper_use_nfs SELinux Boolean @@ -300279,11 +300281,11 @@ which the system will be deployed as closely as possible.The SELinux 'tmpreaper_use_nfs' boolean should be set in the system configuration. - + - + Disable the tmpreaper_use_samba SELinux Boolean @@ -300292,11 +300294,11 @@ which the system will be deployed as closely as possible.The SELinux 'tmpreaper_use_samba' boolean should be set in the system configuration. - + - + Disable the tor_bind_all_unreserved_ports SELinux Boolean @@ -300305,11 +300307,11 @@ which the system will be deployed as closely as possible.The SELinux 'tor_bind_all_unreserved_ports' boolean should be set in the system configuration. - + - + Disable the tor_can_network_relay SELinux Boolean @@ -300318,11 +300320,11 @@ which the system will be deployed as closely as possible.The SELinux 'tor_can_network_relay' boolean should be set in the system configuration. - + - + Enable the unconfined_chrome_sandbox_transition SELinux Boolean @@ -300331,11 +300333,11 @@ which the system will be deployed as closely as possible.The SELinux 'unconfined_chrome_sandbox_transition' boolean should be set in the system configuration. - + - + Enable the unconfined_login SELinux Boolean @@ -300344,11 +300346,11 @@ which the system will be deployed as closely as possible.The SELinux 'unconfined_login' boolean should be set in the system configuration. - + - + Enable the unconfined_mozilla_plugin_transition SELinux Boolean @@ -300357,11 +300359,11 @@ which the system will be deployed as closely as possible.The SELinux 'unconfined_mozilla_plugin_transition' boolean should be set in the system configuration. - + - + Disable the unprivuser_use_svirt SELinux Boolean @@ -300370,11 +300372,11 @@ which the system will be deployed as closely as possible.The SELinux 'unprivuser_use_svirt' boolean should be set in the system configuration. - + - + Disable the use_ecryptfs_home_dirs SELinux Boolean @@ -300383,11 +300385,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_ecryptfs_home_dirs' boolean should be set in the system configuration. - + - + Disable the use_fusefs_home_dirs SELinux Boolean @@ -300396,11 +300398,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_fusefs_home_dirs' boolean should be set in the system configuration. - + - + Disable the use_lpd_server SELinux Boolean @@ -300409,11 +300411,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_lpd_server' boolean should be set in the system configuration. - + - + Disable the use_nfs_home_dirs SELinux Boolean @@ -300422,11 +300424,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_nfs_home_dirs' boolean should be set in the system configuration. - + - + Disable the use_samba_home_dirs SELinux Boolean @@ -300435,11 +300437,11 @@ which the system will be deployed as closely as possible.The SELinux 'use_samba_home_dirs' boolean should be set in the system configuration. - + - + Enable the user_exec_content SELinux Boolean @@ -300448,11 +300450,11 @@ which the system will be deployed as closely as possible.The SELinux 'user_exec_content' boolean should be set in the system configuration. - + - + Disable the varnishd_connect_any SELinux Boolean @@ -300461,11 +300463,11 @@ which the system will be deployed as closely as possible.The SELinux 'varnishd_connect_any' boolean should be set in the system configuration. - + - + Disable the virt_read_qemu_ga_data SELinux Boolean @@ -300474,11 +300476,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_read_qemu_ga_data' boolean should be set in the system configuration. - + - + Disable the virt_rw_qemu_ga_data SELinux Boolean @@ -300487,11 +300489,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_rw_qemu_ga_data' boolean should be set in the system configuration. - + - + Disable the virt_sandbox_use_all_caps SELinux Boolean @@ -300500,11 +300502,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_all_caps' boolean should be set in the system configuration. - + - + Enable the virt_sandbox_use_audit SELinux Boolean @@ -300513,11 +300515,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_audit' boolean should be set in the system configuration. - + - + Disable the virt_sandbox_use_mknod SELinux Boolean @@ -300526,11 +300528,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_mknod' boolean should be set in the system configuration. - + - + Disable the virt_sandbox_use_netlink SELinux Boolean @@ -300539,11 +300541,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_netlink' boolean should be set in the system configuration. - + - + Disable the virt_sandbox_use_sys_admin SELinux Boolean @@ -300552,11 +300554,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_sandbox_use_sys_admin' boolean should be set in the system configuration. - + - + Disable the virt_transition_userdomain SELinux Boolean @@ -300565,11 +300567,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_transition_userdomain' boolean should be set in the system configuration. - + - + Disable the virt_use_comm SELinux Boolean @@ -300578,11 +300580,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_comm' boolean should be set in the system configuration. - + - + Disable the virt_use_execmem SELinux Boolean @@ -300592,11 +300594,11 @@ which the system will be deployed as closely as possible. - + - + Disable the virt_use_fusefs SELinux Boolean @@ -300605,11 +300607,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_fusefs' boolean should be set in the system configuration. - + - + Disable the virt_use_nfs SELinux Boolean @@ -300618,11 +300620,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_nfs' boolean should be set in the system configuration. - + - + Disable the virt_use_rawip SELinux Boolean @@ -300631,11 +300633,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_rawip' boolean should be set in the system configuration. - + - + Disable the virt_use_samba SELinux Boolean @@ -300644,11 +300646,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_samba' boolean should be set in the system configuration. - + - + Disable the virt_use_sanlock SELinux Boolean @@ -300657,11 +300659,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_sanlock' boolean should be set in the system configuration. - + - + Disable the virt_use_usb SELinux Boolean @@ -300670,11 +300672,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_usb' boolean should be set in the system configuration. - + - + Disable the virt_use_xserver SELinux Boolean @@ -300683,11 +300685,11 @@ which the system will be deployed as closely as possible.The SELinux 'virt_use_xserver' boolean should be set in the system configuration. - + - + Disable the webadm_manage_user_files SELinux Boolean @@ -300696,11 +300698,11 @@ which the system will be deployed as closely as possible.The SELinux 'webadm_manage_user_files' boolean should be set in the system configuration. - + - + Disable the webadm_read_user_files SELinux Boolean @@ -300709,11 +300711,11 @@ which the system will be deployed as closely as possible.The SELinux 'webadm_read_user_files' boolean should be set in the system configuration. - + - + Disable the wine_mmap_zero_ignore SELinux Boolean @@ -300722,11 +300724,11 @@ which the system will be deployed as closely as possible.The SELinux 'wine_mmap_zero_ignore' boolean should be set in the system configuration. - + - + Disable the xdm_bind_vnc_tcp_port SELinux Boolean @@ -300735,11 +300737,11 @@ which the system will be deployed as closely as possible.The SELinux 'xdm_bind_vnc_tcp_port' boolean should be set in the system configuration. - + - + Disable the xdm_exec_bootloader SELinux Boolean @@ -300748,11 +300750,11 @@ which the system will be deployed as closely as possible.The SELinux 'xdm_exec_bootloader' boolean should be set in the system configuration. - + - + Disable the xdm_sysadm_login SELinux Boolean @@ -300761,11 +300763,11 @@ which the system will be deployed as closely as possible.The SELinux 'xdm_sysadm_login' boolean should be set in the system configuration. - + - + Disable the xdm_write_home SELinux Boolean @@ -300774,11 +300776,11 @@ which the system will be deployed as closely as possible.The SELinux 'xdm_write_home' boolean should be set in the system configuration. - + - + Disable the xen_use_nfs SELinux Boolean @@ -300787,11 +300789,11 @@ which the system will be deployed as closely as possible.The SELinux 'xen_use_nfs' boolean should be set in the system configuration. - + - + Enable the xend_run_blktap SELinux Boolean @@ -300800,11 +300802,11 @@ which the system will be deployed as closely as possible.The SELinux 'xend_run_blktap' boolean should be set in the system configuration. - + - + Enable the xend_run_qemu SELinux Boolean @@ -300813,11 +300815,11 @@ which the system will be deployed as closely as possible.The SELinux 'xend_run_qemu' boolean should be set in the system configuration. - + - + Disable the xguest_connect_network SELinux Boolean @@ -300826,11 +300828,11 @@ which the system will be deployed as closely as possible.The SELinux 'xguest_connect_network' boolean should be set in the system configuration. - + - + Disable the xguest_exec_content SELinux Boolean @@ -300839,11 +300841,11 @@ which the system will be deployed as closely as possible.The SELinux 'xguest_exec_content' boolean should be set in the system configuration. - + - + Disable the xguest_mount_media SELinux Boolean @@ -300852,11 +300854,11 @@ which the system will be deployed as closely as possible.The SELinux 'xguest_mount_media' boolean should be set in the system configuration. - + - + Disable the xguest_use_bluetooth SELinux Boolean @@ -300865,11 +300867,11 @@ which the system will be deployed as closely as possible.The SELinux 'xguest_use_bluetooth' boolean should be set in the system configuration. - + - + Disable the xserver_clients_write_xshm SELinux Boolean @@ -300878,11 +300880,11 @@ which the system will be deployed as closely as possible.The SELinux 'xserver_clients_write_xshm' boolean should be set in the system configuration. - + - + Disable the xserver_execmem SELinux Boolean @@ -300892,11 +300894,11 @@ which the system will be deployed as closely as possible. - + - + Disable the xserver_object_manager SELinux Boolean @@ -300905,11 +300907,11 @@ which the system will be deployed as closely as possible.The SELinux 'xserver_object_manager' boolean should be set in the system configuration. - + - + Disable the zabbix_can_network SELinux Boolean @@ -300918,11 +300920,11 @@ which the system will be deployed as closely as possible.The SELinux 'zabbix_can_network' boolean should be set in the system configuration. - + - + Disable the zarafa_setrlimit SELinux Boolean @@ -300931,11 +300933,11 @@ which the system will be deployed as closely as possible.The SELinux 'zarafa_setrlimit' boolean should be set in the system configuration. - + - + Disable the zebra_write_config SELinux Boolean @@ -300944,11 +300946,11 @@ which the system will be deployed as closely as possible.The SELinux 'zebra_write_config' boolean should be set in the system configuration. - + - + Disable the zoneminder_anon_write SELinux Boolean @@ -300957,11 +300959,11 @@ which the system will be deployed as closely as possible.The SELinux 'zoneminder_anon_write' boolean should be set in the system configuration. - + - + Disable the zoneminder_run_sudo SELinux Boolean @@ -300970,11 +300972,11 @@ which the system will be deployed as closely as possible.The SELinux 'zoneminder_run_sudo' boolean should be set in the system configuration. - + - + Disable Automatic Bug Reporting Tool (abrtd) @@ -300986,13 +300988,13 @@ which the system will be deployed as closely as possible. - + - + Disable Advanced Configuration and Power Interface (acpid) @@ -301004,13 +301006,13 @@ which the system will be deployed as closely as possible. - + - + Disable At Service (atd) @@ -301022,13 +301024,13 @@ which the system will be deployed as closely as possible. - + - + Enable auditd Service @@ -301042,14 +301044,14 @@ which the system will be deployed as closely as possible. - + - + Disable the Automounter @@ -301061,13 +301063,13 @@ which the system will be deployed as closely as possible. - + - + Disable Avahi Server Software @@ -301079,13 +301081,13 @@ which the system will be deployed as closely as possible. - + - + Disable Bluetooth Service @@ -301096,13 +301098,13 @@ which the system will be deployed as closely as possible. - + - + Disable Certmonger Service (certmonger) @@ -301114,13 +301116,13 @@ which the system will be deployed as closely as possible. - + - + The Chronyd service is enabled @@ -301134,14 +301136,14 @@ which the system will be deployed as closely as possible. - + - + Disable Cockpit Management Server @@ -301152,13 +301154,13 @@ which the system will be deployed as closely as possible. - + - + Disable CPU Speed (cpupower) @@ -301170,13 +301172,13 @@ which the system will be deployed as closely as possible. - + - + Enable cron Service @@ -301189,14 +301191,14 @@ which the system will be deployed as closely as possible. - + - + Enable cron Service @@ -301210,14 +301212,14 @@ which the system will be deployed as closely as possible. - + - + Disable the CUPS Service @@ -301229,13 +301231,13 @@ which the system will be deployed as closely as possible. - + - + Disable debug-shell SystemD Service @@ -301247,13 +301249,13 @@ which the system will be deployed as closely as possible. - + - + Disable DHCP Service @@ -301265,13 +301267,13 @@ which the system will be deployed as closely as possible. - + - + Disable Dovecot Service @@ -301283,13 +301285,13 @@ which the system will be deployed as closely as possible. - + - + Enable the File Access Policy Service @@ -301303,14 +301305,14 @@ which the system will be deployed as closely as possible. - + - + Verify firewalld Enabled @@ -301324,14 +301326,14 @@ which the system will be deployed as closely as possible. - + - + Disable httpd Service @@ -301343,13 +301345,13 @@ which the system will be deployed as closely as possible. - + - + Verify ip6tables Enabled if Using IPv6 @@ -301363,14 +301365,14 @@ which the system will be deployed as closely as possible. - + - + Verify iptables Enabled @@ -301384,14 +301386,14 @@ which the system will be deployed as closely as possible. - + - + Disable KDump Kernel Crash Analyzer (kdump) @@ -301403,13 +301405,13 @@ which the system will be deployed as closely as possible. - + - + Disable Software RAID Monitor (mdmonitor) @@ -301421,13 +301423,13 @@ which the system will be deployed as closely as possible. - + - + Enable nails Service @@ -301440,14 +301442,14 @@ which the system will be deployed as closely as possible. - + - + Disable named Service @@ -301459,13 +301461,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network Console (netconsole) @@ -301477,13 +301479,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network File Systems (netfs) @@ -301494,13 +301496,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network File System (nfs) @@ -301512,13 +301514,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network File System Lock Service (nfslock) @@ -301529,13 +301531,13 @@ which the system will be deployed as closely as possible. - + - + Verify nftables Service is Disabled @@ -301547,13 +301549,13 @@ which the system will be deployed as closely as possible. - + - + Verify nftables Service is Enabled @@ -301567,14 +301569,14 @@ which the system will be deployed as closely as possible. - + - + Enable the NTP Daemon @@ -301587,14 +301589,14 @@ which the system will be deployed as closely as possible. - + - + Enable the NTP Daemon @@ -301607,14 +301609,14 @@ which the system will be deployed as closely as possible. - + - + Disable ntpdate Service (ntpdate) @@ -301626,13 +301628,13 @@ which the system will be deployed as closely as possible. - + - + Disable Odd Job Daemon (oddjobd) @@ -301644,13 +301646,13 @@ which the system will be deployed as closely as possible. - + - + Enable the pcscd Service @@ -301664,14 +301666,14 @@ which the system will be deployed as closely as possible. - + - + Disable Portreserve (portreserve) @@ -301683,13 +301685,13 @@ which the system will be deployed as closely as possible. - + - + Enable Postfix Service @@ -301702,14 +301704,14 @@ which the system will be deployed as closely as possible. - + - + Enable Process Accounting (psacct) @@ -301723,14 +301725,14 @@ which the system will be deployed as closely as possible. - + - + Disable Apache Qpid (qpidd) @@ -301742,13 +301744,13 @@ which the system will be deployed as closely as possible. - + - + Disable Quota Netlink (quota_nld) @@ -301760,13 +301762,13 @@ which the system will be deployed as closely as possible. - + - + Disable Network Router Discovery Daemon (rdisc) @@ -301778,13 +301780,13 @@ which the system will be deployed as closely as possible. - + - + Disable rexec Service @@ -301796,13 +301798,13 @@ which the system will be deployed as closely as possible. - + - + Disable Red Hat Network Service (rhnsd) @@ -301814,13 +301816,13 @@ which the system will be deployed as closely as possible. - + - + Disable Red Hat Subscription Manager Daemon (rhsmcertd) @@ -301832,13 +301834,13 @@ which the system will be deployed as closely as possible. - + - + Disable rlogin Service @@ -301850,13 +301852,13 @@ which the system will be deployed as closely as possible. - + - + Enable the Hardware RNG Entropy Gatherer Service @@ -301870,14 +301872,14 @@ which the system will be deployed as closely as possible. - + - + Disable rpcbind Service @@ -301889,13 +301891,13 @@ which the system will be deployed as closely as possible. - + - + Disable Secure RPC Client Service (rpcgssd) @@ -301906,13 +301908,13 @@ which the system will be deployed as closely as possible. - + - + Disable RPC ID Mapping Service (rpcidmapd) @@ -301923,13 +301925,13 @@ which the system will be deployed as closely as possible. - + - + Disable Secure RPC Server Service (rpcsvcgssd) @@ -301940,13 +301942,13 @@ which the system will be deployed as closely as possible. - + - + Disable rsh Service @@ -301958,13 +301960,13 @@ which the system will be deployed as closely as possible. - + - + Ensure rsyncd service is disabled @@ -301976,13 +301978,13 @@ which the system will be deployed as closely as possible. - + - + Enable rsyslog Service @@ -301996,14 +301998,14 @@ which the system will be deployed as closely as possible. - + - + Disable Cyrus SASL Authentication Daemon (saslauthd) @@ -302015,13 +302017,13 @@ which the system will be deployed as closely as possible. - + - + Disable LDAP Server (slapd) @@ -302033,13 +302035,13 @@ which the system will be deployed as closely as possible. - + - + Disable Samba @@ -302051,13 +302053,13 @@ which the system will be deployed as closely as possible. - + - + Disable snmpd Service @@ -302069,13 +302071,13 @@ which the system will be deployed as closely as possible. - + - + Disable Squid @@ -302087,13 +302089,13 @@ which the system will be deployed as closely as possible. - + - + Disable SSH Server If Possible @@ -302104,13 +302106,13 @@ which the system will be deployed as closely as possible. - + - + Enable the OpenSSH Service @@ -302124,14 +302126,14 @@ which the system will be deployed as closely as possible. - + - + Enable the SSSD Service @@ -302145,14 +302147,14 @@ which the system will be deployed as closely as possible. - + - + service_syslog_disabled @@ -302163,13 +302165,13 @@ which the system will be deployed as closely as possible. - + - + Enable syslog-ng Service @@ -302182,14 +302184,14 @@ which the system will be deployed as closely as possible. - + - + Disable System Statistics Reset Service (sysstat) @@ -302201,13 +302203,13 @@ which the system will be deployed as closely as possible. - + - + Disable acquiring, saving, and processing core dumps @@ -302217,11 +302219,11 @@ which the system will be deployed as closely as possible. - + - + Enable systemd-journald Service @@ -302235,14 +302237,14 @@ which the system will be deployed as closely as possible. - + - + Disable telnet Service @@ -302254,13 +302256,13 @@ which the system will be deployed as closely as possible. - + - + Disable tftp Service @@ -302272,13 +302274,13 @@ which the system will be deployed as closely as possible. - + - + Verify ufw Enabled @@ -302291,14 +302293,14 @@ which the system will be deployed as closely as possible. - + - + Enable the USBGuard Service @@ -302312,14 +302314,14 @@ which the system will be deployed as closely as possible. - + - + Disable vsftpd Service @@ -302331,13 +302333,13 @@ which the system will be deployed as closely as possible. - + - + Disable xinetd Service @@ -302349,13 +302351,13 @@ which the system will be deployed as closely as possible. - + - + Disable ypbind Service @@ -302367,13 +302369,13 @@ which the system will be deployed as closely as possible. - + - + Disable ypserv Service @@ -302385,13 +302387,13 @@ which the system will be deployed as closely as possible. - + - + Disable Quagga Service @@ -302403,13 +302405,27 @@ which the system will be deployed as closely as possible. - + - + + + Set Default firewalld Zone for Incoming Packets + + Red Hat Enterprise Linux 8 + + Check presence of DefaultZone=drop in /etc/firewalld/firewalld.conf + + + + + + + + Disable systemd-journal-remote Socket @@ -302419,11 +302435,11 @@ which the system will be deployed as closely as possible. - + - + Disable SSH Access via Empty Passwords @@ -302450,7 +302466,7 @@ which the system will be deployed as closely as possible. - + Disable GSSAPI Authentication @@ -302477,7 +302493,7 @@ which the system will be deployed as closely as possible. - + Disable Kerberos Authentication @@ -302504,7 +302520,7 @@ which the system will be deployed as closely as possible. - + Disable PubkeyAuthentication Authentication @@ -302531,7 +302547,7 @@ which the system will be deployed as closely as possible. - + Disable SSH Support for .rhosts Files @@ -302558,7 +302574,7 @@ which the system will be deployed as closely as possible. - + Disable SSH Root Login @@ -302585,7 +302601,7 @@ which the system will be deployed as closely as possible. - + Disable SSH root Login with a Password (Insecure) @@ -302611,7 +302627,7 @@ which the system will be deployed as closely as possible. - + Disable SSH TCP Forwarding @@ -302638,7 +302654,7 @@ which the system will be deployed as closely as possible. - + Disable SSH Support for User Known Hosts @@ -302665,7 +302681,7 @@ which the system will be deployed as closely as possible. - + Disable X11 Forwarding @@ -302692,7 +302708,7 @@ which the system will be deployed as closely as possible. - + Do Not Allow SSH Environment Options @@ -302719,7 +302735,7 @@ which the system will be deployed as closely as possible. - + Enable GSSAPI Authentication @@ -302745,7 +302761,7 @@ which the system will be deployed as closely as possible. - + Enable PAM @@ -302772,7 +302788,7 @@ which the system will be deployed as closely as possible. - + Enable Public Key Authentication @@ -302798,7 +302814,7 @@ which the system will be deployed as closely as possible. - + Enable Use of Strict Mode Checking @@ -302825,7 +302841,7 @@ which the system will be deployed as closely as possible. - + Enable SSH Warning Banner @@ -302852,7 +302868,7 @@ which the system will be deployed as closely as possible. - + Enable SSH Warning Banner @@ -302879,7 +302895,7 @@ which the system will be deployed as closely as possible. - + Enable Encrypted X11 Forwarding @@ -302906,7 +302922,7 @@ which the system will be deployed as closely as possible. - + sshd_includes_config_files @@ -302915,11 +302931,11 @@ which the system will be deployed as closely as possible.Check presence of Include /etc/ssh/sshd_config.d/*.conf in /etc/ssh/sshd_config - + - + Enable SSH Print Last Log @@ -302946,7 +302962,7 @@ which the system will be deployed as closely as possible. - + Set SSH Client Alive Count Max to zero @@ -302973,7 +302989,7 @@ which the system will be deployed as closely as possible. - + Set LogLevel to INFO @@ -303000,7 +303016,7 @@ which the system will be deployed as closely as possible. - + Set SSH Daemon LogLevel to VERBOSE @@ -303027,7 +303043,7 @@ which the system will be deployed as closely as possible. - + SSH server uses strong entropy to seed @@ -303041,7 +303057,7 @@ which the system will be deployed as closely as possible. - + Prevent remote hosts from connecting to the proxy display @@ -303068,7 +303084,7 @@ which the system will be deployed as closely as possible. - + Enable Certmap in SSSD @@ -303078,11 +303094,11 @@ which the system will be deployed as closely as possible. - + - + Ensure sudo Runs In A Minimal Environment - sudo env_reset @@ -303092,11 +303108,11 @@ which the system will be deployed as closely as possible. - + - + Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot @@ -303106,11 +303122,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC @@ -303120,11 +303136,11 @@ which the system will be deployed as closely as possible. - + - + Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout @@ -303134,11 +303150,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty @@ -303148,11 +303164,11 @@ which the system will be deployed as closely as possible. - + - + Ensure sudo umask is appropriate - sudo umask @@ -303162,11 +303178,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty @@ -303176,11 +303192,11 @@ which the system will be deployed as closely as possible. - + - + Ensure Sudo Logfile Exists - sudo logfile @@ -303190,11 +303206,11 @@ which the system will be deployed as closely as possible. - + - + Ensure only owner and members of group owner of /usr/bin/sudo can execute it @@ -303206,11 +303222,11 @@ which the system will be deployed as closely as possible. - + - + Enable Kernel Parameter to Enforce DAC on Hardlinks @@ -303225,7 +303241,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Hardlinks @@ -303238,7 +303254,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Hardlinks @@ -303255,7 +303271,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Symlinks @@ -303270,7 +303286,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Symlinks @@ -303283,7 +303299,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Enforce DAC on Symlinks @@ -303300,7 +303316,7 @@ which the system will be deployed as closely as possible. - + Disable Core Dumps for SUID programs @@ -303315,7 +303331,7 @@ which the system will be deployed as closely as possible. - + Disable Core Dumps for SUID programs @@ -303328,7 +303344,7 @@ which the system will be deployed as closely as possible. - + Disable Core Dumps for SUID programs @@ -303345,7 +303361,7 @@ which the system will be deployed as closely as possible. - + Disable storing core dumps @@ -303360,7 +303376,7 @@ which the system will be deployed as closely as possible. - + Disable storing core dumps @@ -303373,7 +303389,7 @@ which the system will be deployed as closely as possible. - + Disable storing core dumps @@ -303390,7 +303406,7 @@ which the system will be deployed as closely as possible. - + Configure file name of core dumps @@ -303404,7 +303420,7 @@ which the system will be deployed as closely as possible. - + Configure file name of core dumps @@ -303417,7 +303433,7 @@ which the system will be deployed as closely as possible. - + Configure file name of core dumps @@ -303434,7 +303450,7 @@ which the system will be deployed as closely as possible. - + Restrict Access to Kernel Message Buffer @@ -303449,7 +303465,7 @@ which the system will be deployed as closely as possible. - + Restrict Access to Kernel Message Buffer @@ -303462,7 +303478,7 @@ which the system will be deployed as closely as possible. - + Restrict Access to Kernel Message Buffer @@ -303479,7 +303495,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Image Loading @@ -303494,7 +303510,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Image Loading @@ -303507,7 +303523,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Image Loading @@ -303524,7 +303540,7 @@ which the system will be deployed as closely as possible. - + Restrict Exposed Kernel Pointer Addresses Access @@ -303539,7 +303555,7 @@ which the system will be deployed as closely as possible. - + Restrict Exposed Kernel Pointer Addresses Access @@ -303552,7 +303568,7 @@ which the system will be deployed as closely as possible. - + Restrict Exposed Kernel Pointer Addresses Access @@ -303569,7 +303585,7 @@ which the system will be deployed as closely as possible. - + Disable loading and unloading of kernel modules @@ -303584,7 +303600,7 @@ which the system will be deployed as closely as possible. - + Disable loading and unloading of kernel modules @@ -303597,7 +303613,7 @@ which the system will be deployed as closely as possible. - + Disable loading and unloading of kernel modules @@ -303614,7 +303630,7 @@ which the system will be deployed as closely as possible. - + Kernel panic on oops @@ -303629,7 +303645,7 @@ which the system will be deployed as closely as possible. - + Kernel panic on oops @@ -303642,7 +303658,7 @@ which the system will be deployed as closely as possible. - + Kernel panic on oops @@ -303659,7 +303675,7 @@ which the system will be deployed as closely as possible. - + Limit CPU consumption of the Perf system @@ -303674,7 +303690,7 @@ which the system will be deployed as closely as possible. - + Limit CPU consumption of the Perf system @@ -303687,7 +303703,7 @@ which the system will be deployed as closely as possible. - + Limit CPU consumption of the Perf system @@ -303704,7 +303720,7 @@ which the system will be deployed as closely as possible. - + Limit sampling frequency of the Perf system @@ -303719,7 +303735,7 @@ which the system will be deployed as closely as possible. - + Limit sampling frequency of the Perf system @@ -303732,7 +303748,7 @@ which the system will be deployed as closely as possible. - + Limit sampling frequency of the Perf system @@ -303749,7 +303765,7 @@ which the system will be deployed as closely as possible. - + Disallow kernel profiling by unprivileged users @@ -303764,7 +303780,7 @@ which the system will be deployed as closely as possible. - + Disallow kernel profiling by unprivileged users @@ -303777,7 +303793,7 @@ which the system will be deployed as closely as possible. - + Disallow kernel profiling by unprivileged users @@ -303794,7 +303810,7 @@ which the system will be deployed as closely as possible. - + Configure maximum number of process identifiers @@ -303809,7 +303825,7 @@ which the system will be deployed as closely as possible. - + Configure maximum number of process identifiers @@ -303822,7 +303838,7 @@ which the system will be deployed as closely as possible. - + Configure maximum number of process identifiers @@ -303839,7 +303855,7 @@ which the system will be deployed as closely as possible. - + Enable Randomized Layout of Virtual Address Space @@ -303854,7 +303870,7 @@ which the system will be deployed as closely as possible. - + Enable Randomized Layout of Virtual Address Space @@ -303867,7 +303883,7 @@ which the system will be deployed as closely as possible. - + Enable Randomized Layout of Virtual Address Space @@ -303884,7 +303900,7 @@ which the system will be deployed as closely as possible. - + Disallow magic SysRq key @@ -303899,7 +303915,7 @@ which the system will be deployed as closely as possible. - + Disallow magic SysRq key @@ -303912,7 +303928,7 @@ which the system will be deployed as closely as possible. - + Disallow magic SysRq key @@ -303929,7 +303945,7 @@ which the system will be deployed as closely as possible. - + Disable Access to Network bpf() Syscall From Unprivileged Processes @@ -303944,7 +303960,7 @@ which the system will be deployed as closely as possible. - + Disable Access to Network bpf() Syscall From Unprivileged Processes @@ -303957,7 +303973,7 @@ which the system will be deployed as closely as possible. - + Disable Access to Network bpf() Syscall From Unprivileged Processes @@ -303974,7 +303990,7 @@ which the system will be deployed as closely as possible. - + Restrict usage of ptrace to descendant processes @@ -303989,7 +304005,7 @@ which the system will be deployed as closely as possible. - + Restrict usage of ptrace to descendant processes @@ -304002,7 +304018,7 @@ which the system will be deployed as closely as possible. - + Restrict usage of ptrace to descendant processes @@ -304019,7 +304035,7 @@ which the system will be deployed as closely as possible. - + Harden the operation of the BPF just-in-time compiler @@ -304034,7 +304050,7 @@ which the system will be deployed as closely as possible. - + Harden the operation of the BPF just-in-time compiler @@ -304047,7 +304063,7 @@ which the system will be deployed as closely as possible. - + Harden the operation of the BPF just-in-time compiler @@ -304064,7 +304080,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Packets Routed Between Local Interfaces @@ -304079,7 +304095,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Packets Routed Between Local Interfaces @@ -304092,7 +304108,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Packets Routed Between Local Interfaces @@ -304109,7 +304125,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv4 Interfaces @@ -304124,7 +304140,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv4 Interfaces @@ -304137,7 +304153,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv4 Interfaces @@ -304154,7 +304170,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces @@ -304169,7 +304185,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces @@ -304182,7 +304198,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces @@ -304199,7 +304215,7 @@ which the system will be deployed as closely as possible. - + Configure ARP filtering for All IPv4 Interfaces @@ -304214,7 +304230,7 @@ which the system will be deployed as closely as possible. - + Configure ARP filtering for All IPv4 Interfaces @@ -304227,7 +304243,7 @@ which the system will be deployed as closely as possible. - + Configure ARP filtering for All IPv4 Interfaces @@ -304244,7 +304260,7 @@ which the system will be deployed as closely as possible. - + Configure Response Mode of ARP Requests for All IPv4 Interfaces @@ -304259,7 +304275,7 @@ which the system will be deployed as closely as possible. - + Configure Response Mode of ARP Requests for All IPv4 Interfaces @@ -304272,7 +304288,7 @@ which the system will be deployed as closely as possible. - + Configure Response Mode of ARP Requests for All IPv4 Interfaces @@ -304289,7 +304305,7 @@ which the system will be deployed as closely as possible. - + Drop Gratuitious ARP frames on All IPv4 Interfaces @@ -304304,7 +304320,7 @@ which the system will be deployed as closely as possible. - + Drop Gratuitious ARP frames on All IPv4 Interfaces @@ -304317,7 +304333,7 @@ which the system will be deployed as closely as possible. - + Drop Gratuitious ARP frames on All IPv4 Interfaces @@ -304334,7 +304350,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces @@ -304349,7 +304365,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces @@ -304362,7 +304378,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces @@ -304379,7 +304395,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces @@ -304394,7 +304410,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces @@ -304407,7 +304423,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces @@ -304424,7 +304440,7 @@ which the system will be deployed as closely as possible. - + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces @@ -304439,7 +304455,7 @@ which the system will be deployed as closely as possible. - + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces @@ -304452,7 +304468,7 @@ which the system will be deployed as closely as possible. - + Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces @@ -304469,7 +304485,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces @@ -304484,7 +304500,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces @@ -304497,7 +304513,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces @@ -304514,7 +304530,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces @@ -304529,7 +304545,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces @@ -304542,7 +304558,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces @@ -304559,7 +304575,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces @@ -304574,7 +304590,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces @@ -304587,7 +304603,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces @@ -304604,7 +304620,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces @@ -304619,7 +304635,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces @@ -304632,7 +304648,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces @@ -304649,7 +304665,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces @@ -304664,7 +304680,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces @@ -304677,7 +304693,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces @@ -304694,7 +304710,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default @@ -304709,7 +304725,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default @@ -304722,7 +304738,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default @@ -304739,7 +304755,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default @@ -304754,7 +304770,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default @@ -304767,7 +304783,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default @@ -304784,7 +304800,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default @@ -304799,7 +304815,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default @@ -304812,7 +304828,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default @@ -304829,7 +304845,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel Parameter for Accepting Secure Redirects By Default @@ -304844,7 +304860,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel Parameter for Accepting Secure Redirects By Default @@ -304857,7 +304873,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel Parameter for Accepting Secure Redirects By Default @@ -304874,7 +304890,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default @@ -304889,7 +304905,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default @@ -304902,7 +304918,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default @@ -304919,7 +304935,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects by Default @@ -304934,7 +304950,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects by Default @@ -304947,7 +304963,7 @@ which the system will be deployed as closely as possible. - + Configure Sending and Accepting Shared Media Redirects by Default @@ -304964,7 +304980,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces @@ -304979,7 +304995,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces @@ -304992,7 +305008,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces @@ -305009,7 +305025,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces @@ -305024,7 +305040,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces @@ -305037,7 +305053,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces @@ -305054,7 +305070,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces @@ -305069,7 +305085,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces @@ -305082,7 +305098,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces @@ -305099,7 +305115,7 @@ which the system will be deployed as closely as possible. - + Set Kernel Parameter to Increase Local Port Range @@ -305114,7 +305130,7 @@ which the system will be deployed as closely as possible. - + Set Kernel Parameter to Increase Local Port Range @@ -305127,7 +305143,7 @@ which the system will be deployed as closely as possible. - + Set Kernel Parameter to Increase Local Port Range @@ -305144,7 +305160,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments @@ -305158,7 +305174,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments @@ -305171,7 +305187,7 @@ which the system will be deployed as closely as possible. - + Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments @@ -305188,7 +305204,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces @@ -305203,7 +305219,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces @@ -305216,7 +305232,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces @@ -305233,7 +305249,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces @@ -305248,7 +305264,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces @@ -305261,7 +305277,7 @@ which the system will be deployed as closely as possible. - + Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces @@ -305278,7 +305294,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Advertisements on All IPv6 Interfaces @@ -305296,7 +305312,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Advertisements on All IPv6 Interfaces @@ -305309,7 +305325,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Advertisements on All IPv6 Interfaces @@ -305326,7 +305342,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces @@ -305344,7 +305360,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces @@ -305357,7 +305373,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces @@ -305374,7 +305390,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces @@ -305392,7 +305408,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces @@ -305405,7 +305421,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces @@ -305422,7 +305438,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces @@ -305440,7 +305456,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces @@ -305453,7 +305469,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces @@ -305470,7 +305486,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv6 Interfaces @@ -305488,7 +305504,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv6 Interfaces @@ -305501,7 +305517,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting ICMP Redirects for All IPv6 Interfaces @@ -305518,7 +305534,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces @@ -305536,7 +305552,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces @@ -305549,7 +305565,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces @@ -305566,7 +305582,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces @@ -305584,7 +305600,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces @@ -305597,7 +305613,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces @@ -305614,7 +305630,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on All IPv6 Interfaces @@ -305632,7 +305648,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on All IPv6 Interfaces @@ -305645,7 +305661,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on All IPv6 Interfaces @@ -305662,7 +305678,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv6 Forwarding @@ -305680,7 +305696,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv6 Forwarding @@ -305693,7 +305709,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for IPv6 Forwarding @@ -305710,7 +305726,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces @@ -305728,7 +305744,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces @@ -305741,7 +305757,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces @@ -305758,7 +305774,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces @@ -305776,7 +305792,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces @@ -305789,7 +305805,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces @@ -305806,7 +305822,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default @@ -305824,7 +305840,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default @@ -305837,7 +305853,7 @@ which the system will be deployed as closely as possible. - + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default @@ -305854,7 +305870,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default @@ -305872,7 +305888,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default @@ -305885,7 +305901,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default @@ -305902,7 +305918,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default @@ -305920,7 +305936,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default @@ -305933,7 +305949,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default @@ -305950,7 +305966,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default @@ -305968,7 +305984,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default @@ -305981,7 +305997,7 @@ which the system will be deployed as closely as possible. - + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default @@ -305998,7 +306014,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces @@ -306016,7 +306032,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces @@ -306029,7 +306045,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces @@ -306046,7 +306062,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default @@ -306064,7 +306080,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default @@ -306077,7 +306093,7 @@ which the system will be deployed as closely as possible. - + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default @@ -306094,7 +306110,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces By Default @@ -306112,7 +306128,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces By Default @@ -306125,7 +306141,7 @@ which the system will be deployed as closely as possible. - + Configure Auto Configuration on All IPv6 Interfaces By Default @@ -306142,7 +306158,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on IPv6 Interfaces by Default @@ -306160,7 +306176,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on IPv6 Interfaces by Default @@ -306173,7 +306189,7 @@ which the system will be deployed as closely as possible. - + Disable IPv6 Addressing on IPv6 Interfaces by Default @@ -306190,7 +306206,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default @@ -306208,7 +306224,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default @@ -306221,7 +306237,7 @@ which the system will be deployed as closely as possible. - + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default @@ -306238,7 +306254,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces By Default @@ -306256,7 +306272,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces By Default @@ -306269,7 +306285,7 @@ which the system will be deployed as closely as possible. - + Configure Denying Router Solicitations on All IPv6 Interfaces By Default @@ -306286,7 +306302,7 @@ which the system will be deployed as closely as possible. - + Disable the use of user namespaces @@ -306301,7 +306317,7 @@ which the system will be deployed as closely as possible. - + Disable the use of user namespaces @@ -306314,7 +306330,7 @@ which the system will be deployed as closely as possible. - + Disable the use of user namespaces @@ -306331,7 +306347,7 @@ which the system will be deployed as closely as possible. - + Prevent applications from mapping low portion of virtual memory @@ -306346,7 +306362,7 @@ which the system will be deployed as closely as possible. - + Prevent applications from mapping low portion of virtual memory @@ -306359,7 +306375,7 @@ which the system will be deployed as closely as possible. - + Prevent applications from mapping low portion of virtual memory @@ -306376,7 +306392,7 @@ which the system will be deployed as closely as possible. - + Enable dnf-automatic Timer @@ -306394,7 +306410,7 @@ which the system will be deployed as closely as possible. - + Enable logrotate Timer @@ -306412,7 +306428,7 @@ which the system will be deployed as closely as possible. - + Enable Auditing to Start Prior to the Audit Daemon in zIPL @@ -306427,7 +306443,7 @@ which the system will be deployed as closely as possible. - + Extend Audit Backlog Limit for the Audit Daemon in zIPL @@ -306442,7 +306458,7 @@ which the system will be deployed as closely as possible. - + Enable page allocator poisoning in zIPL @@ -306457,7 +306473,7 @@ which the system will be deployed as closely as possible. - + Enable SLUB/SLAB allocator poisoning in zIPL @@ -306472,7 +306488,7 @@ which the system will be deployed as closely as possible. - + Disable vsyscalls in zIPL @@ -306487,7 +306503,7 @@ which the system will be deployed as closely as possible. - + Check pam_faillock Existence in system-auth @@ -306496,11 +306512,11 @@ which the system will be deployed as closely as possible.Check that pam_faillock.so exists in system-auth - + - + Check pam_pwquality Existence in system-auth @@ -306509,11 +306525,11 @@ which the system will be deployed as closely as possible.Check that pam_pwquality.so exists in system-auth - + - + Record Any Attempts to Run semanage @@ -306522,11 +306538,11 @@ which the system will be deployed as closely as possible.Test if auditctl is in use for audit rules. - + - + Record Any Attempts to Run semanage @@ -306535,11 +306551,11 @@ which the system will be deployed as closely as possible.Test if augenrules is enabled for audit rules. - + - + Record Events that Modify the System's Network Environment @@ -306554,7 +306570,7 @@ which the system will be deployed as closely as possible. - + @@ -306562,13 +306578,13 @@ which the system will be deployed as closely as possible. - + - + Record Events that Modify the System's Network Environment @@ -306583,7 +306599,7 @@ which the system will be deployed as closely as possible. - + @@ -306591,13 +306607,13 @@ which the system will be deployed as closely as possible. - + - + 'log_file' Not Set In /etc/audit/auditd.conf @@ -306607,10 +306623,10 @@ which the system will be deployed as closely as possible. - + - + 'log_group' Not Set To 'root' In /etc/audit/auditd.conf @@ -306621,11 +306637,11 @@ which the system will be deployed as closely as possible. - - + + - + Verify GRUB_DISABLE_RECOVERY Set to true @@ -306635,11 +306651,11 @@ which the system will be deployed as closely as possible. - - + + - + Specify Multiple Remote chronyd NTP Servers for Time Data @@ -306648,11 +306664,11 @@ which the system will be deployed as closely as possible.Multiple chronyd NTP Servers for time synchronization should be specified. - + - + GRUB_CMDLINE_LINUX_DEFAULT existance check @@ -306662,10 +306678,10 @@ which the system will be deployed as closely as possible. - + - + Use $kernelopts in /boot/loader/entries/*.conf @@ -306675,10 +306691,10 @@ which the system will be deployed as closely as possible. - + - + Install McAfee Host-Based Intrusion Detection Software (HBSS) @@ -306695,7 +306711,7 @@ which the system will be deployed as closely as possible. - + Anolis OS 23 @@ -306710,7 +306726,7 @@ which the system will be deployed as closely as possible. - + CentOS 7 @@ -306726,7 +306742,7 @@ which the system will be deployed as closely as possible. - + CentOS 8 @@ -306743,7 +306759,7 @@ which the system will be deployed as closely as possible. - + CentOS Stream 9 @@ -306760,7 +306776,7 @@ which the system will be deployed as closely as possible. - + Debian @@ -306774,7 +306790,7 @@ which the system will be deployed as closely as possible. - + Installed operating system is Fedora @@ -306794,7 +306810,7 @@ which the system will be deployed as closely as possible. - + @@ -306807,7 +306823,7 @@ which the system will be deployed as closely as possible. - + Oracle Linux 7 @@ -306818,14 +306834,14 @@ which the system will be deployed as closely as possible. - + - + Oracle Linux 8 @@ -306836,14 +306852,14 @@ which the system will be deployed as closely as possible. - + - + Oracle Linux 9 @@ -306854,14 +306870,14 @@ which the system will be deployed as closely as possible. - + - + OpenEmbedded @@ -306876,7 +306892,7 @@ which the system will be deployed as closely as possible. - + openSUSE @@ -306890,7 +306906,7 @@ which the system will be deployed as closely as possible. - + Installed operating system is part of the Unix family @@ -306899,11 +306915,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is part of the Unix OS family - + - + Poky @@ -306918,7 +306934,7 @@ which the system will be deployed as closely as possible. - + Red Hat Enterprise Linux CoreOS @@ -306929,14 +306945,14 @@ which the system will be deployed as closely as possible. - + - + Red Hat Enterprise Linux CoreOS RHEL9 Based @@ -306947,11 +306963,11 @@ which the system will be deployed as closely as possible. - + - + @@ -306964,7 +306980,7 @@ which the system will be deployed as closely as possible. - + Red Hat Enterprise Linux 7 @@ -306975,21 +306991,21 @@ which the system will be deployed as closely as possible. - + - + - + Red Hat Enterprise Linux 8 @@ -307000,18 +307016,18 @@ which the system will be deployed as closely as possible. - + - + - + Red Hat Enterprise Linux 8.0 @@ -307021,11 +307037,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.0 - + - + Red Hat Enterprise Linux 8.1 @@ -307035,11 +307051,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.1 - + - + Red Hat Enterprise Linux 8.2 @@ -307049,11 +307065,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.2 - + - + Red Hat Enterprise Linux 8.3 @@ -307063,11 +307079,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.3 - + - + Red Hat Enterprise Linux 8.4 @@ -307077,11 +307093,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.4 - + - + Red Hat Enterprise Linux 8.5 @@ -307091,11 +307107,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.5 - + - + Red Hat Enterprise Linux 8.6 @@ -307105,11 +307121,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.6 - + - + Red Hat Enterprise Linux 8.7 @@ -307119,11 +307135,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.7 - + - + Red Hat Enterprise Linux 8.8 @@ -307133,11 +307149,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.8 - + - + Red Hat Enterprise Linux 8.9 @@ -307147,11 +307163,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.9 - + - + Red Hat Enterprise Linux 8.10 @@ -307161,11 +307177,11 @@ which the system will be deployed as closely as possible.The operating system installed on the system is Red Hat Enterprise Linux 8.10 - + - + Red Hat Enterprise Linux 9 @@ -307176,18 +307192,18 @@ which the system will be deployed as closely as possible. - + - + - + Red Hat Virtualization 4 @@ -307203,7 +307219,7 @@ which the system will be deployed as closely as possible. - + Scientific Linux 7 @@ -307219,7 +307235,7 @@ which the system will be deployed as closely as possible. - + SUSE Linux Enterprise 12 @@ -307231,7 +307247,7 @@ which the system will be deployed as closely as possible. - + @@ -307240,7 +307256,7 @@ which the system will be deployed as closely as possible. - + SUSE Linux Enterprise 15 @@ -307252,7 +307268,7 @@ which the system will be deployed as closely as possible. - + @@ -307263,7 +307279,7 @@ which the system will be deployed as closely as possible. - + Ubuntu @@ -307278,7 +307294,7 @@ which the system will be deployed as closely as possible. - + Ubuntu 16.04 LTS @@ -307293,7 +307309,7 @@ which the system will be deployed as closely as possible. - + Ubuntu 18.04 LTS @@ -307308,7 +307324,7 @@ which the system will be deployed as closely as possible. - + Ubuntu 20.04 LTS @@ -307323,35 +307339,35 @@ which the system will be deployed as closely as possible. - + System uses zIPL Red Hat Enterprise Linux 8 - Checks if system uses zIPL bootloader. + Checks if system uses zIPL bootloader. - + - + Check if the environment is a OSBuild pipeline Red Hat Enterprise Linux 8 - Check the value of environment variable container. + Check the value of environment variable container. - + - + No CD/DVD drive is configured to automount in /etc/fstab @@ -307361,11 +307377,11 @@ which the system will be deployed as closely as possible. - - + + - + Device Files for Removable Media Partitions Does Not Exist on the System @@ -307375,11 +307391,11 @@ which the system will be deployed as closely as possible. - - + + - + SSHD is not required to be installed or requirement not set @@ -307393,7 +307409,7 @@ which the system will be deployed as closely as possible. - + SSHD is required to be installed or requirement not set @@ -307407,7 +307423,7 @@ which the system will be deployed as closely as possible. - + It doesn't matter if sshd is installed or not @@ -307420,7 +307436,7 @@ which the system will be deployed as closely as possible. - + OpenSSH Server is 7.4 or newer @@ -307433,7 +307449,7 @@ which the system will be deployed as closely as possible. - + Kernel Runtime Parameter IPv6 Check @@ -307449,7 +307465,7 @@ which the system will be deployed as closely as possible. - + Test for 64-bit Architecture @@ -307465,7 +307481,7 @@ which the system will be deployed as closely as possible. - + Test for aarch_64 Architecture @@ -307474,11 +307490,11 @@ which the system will be deployed as closely as possible.Generic test for aarch_64 architecture to be used by other tests - + - + Test for PPC and PPCLE Architecture @@ -307492,7 +307508,7 @@ which the system will be deployed as closely as possible. - + Test for s390_64 Architecture @@ -307501,11 +307517,11 @@ which the system will be deployed as closely as possible.Generic test for s390_64 architecture to be used by other tests - + - + Test for x86 Architecture @@ -307514,11 +307530,11 @@ which the system will be deployed as closely as possible.Generic test for x86 architecture to be used by other tests - + - + Test for x86_64 Architecture @@ -307527,11 +307543,11 @@ which the system will be deployed as closely as possible.Generic test for x86_64 architecture to be used by other tests - + - + @@ -307544,7 +307560,7 @@ which the system will be deployed as closely as possible. - + Check that file storing USBGuard rules exists and is not empty @@ -307557,7 +307573,7 @@ which the system will be deployed as closely as possible. - + Value of 'var_accounts_user_umask' variable represented as octal number @@ -307570,7 +307586,7 @@ which the system will be deployed as closely as possible. - + Value of 'var_removable_partition' variable is set to '/dev/cdrom' @@ -307580,11 +307596,11 @@ which the system will be deployed as closely as possible. - - + + - + Value of 'var_umask_for_daemons' variable represented as octal number @@ -307599,1173 +307615,1173 @@ which the system will be deployed as closely as possible. - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -308774,9300 +308790,9300 @@ which the system will be deployed as closely as possible. - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -318093,45 +318109,45 @@ which the system will be deployed as closely as possible.^\s*permissive\s*=\s*(\d+) 1 - + /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_enable[\s]*=[\s]*YES$ 1 - + /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_std_format[\s]*=[\s]*NO$ 1 - + /etc/vsftpd/vsftpd.conf ^[\s]*log_ftp_protocol[\s]*=[\s]*YES$ 1 - + /etc/vsftpd/vsftpd.conf ^[\s]*banner_file=/etc/issue[\s]*$ 1 - + /etc/httpd/conf - + /var/log/httpd - + /etc/httpd/conf.d/ ^.*$ - + /etc/httpd/conf ^.*$ - + /etc/httpd/conf.modules.d/ ^.*$ @@ -318186,7 +318202,7 @@ which the system will be deployed as closely as possible.^(?i)postmaster\s*:\s*(.+)$ 1 - + /etc/postfix/main.cf ^[\s]*inet_interfaces[\s]*=[\s]*(.*)[\s]*$ 1 @@ -318201,7 +318217,7 @@ which the system will be deployed as closely as possible.^[ \t]*smtpd_client_restrictions = (.+?)[ \t]*(?:$|#) 1 - + ^/etc/postfix/main.cf @@ -318265,50 +318281,50 @@ which the system will be deployed as closely as possible.^\s*OPTIONS=.*[\s'"]-u(?!\s*chrony\b).* 0 - + ^/etc/chrony\.(conf|d/.+\.conf)$ ^[\s]*server.*$ 1 - + ^/etc/chrony\.(conf|d/.+\.conf)$ ^[\s]+pool.*$ 1 - + ^/etc/chrony\.(conf|d/.+\.conf)$ ^[\s]*(?:server|pool)[\s]+.+$ 1 - + /etc/ntp.conf ^([\s]*server[\s]+.+$){2,}$ 1 - + /etc/ntp.conf ^[\s]*server[\s]+.+$ 1 - + / shosts.equiv - + /root ^\.rhosts$ - + /home ^\.rhosts$ - + /etc ^hosts\.equiv$ - + / .shosts @@ -318363,7 +318379,7 @@ which the system will be deployed as closely as possible.^[\s]*(com2se|rocommunity|rwcommunity) 1 - + /etc/ssh .*_key$ oval:ssg-exclude_symlinks__sshd_private_key:ste:1 @@ -318428,7 +318444,7 @@ which the system will be deployed as closely as possible. oval:ssg-var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count:var:1 - + /etc/sysconfig/network-scripts ^ifcfg-(?!lo).* ^ZONE=(.*)$ @@ -318617,7 +318633,7 @@ which the system will be deployed as closely as possible.^[\s]*cache_credentials\s*=\s*(\w+)\s*(?:#.*)?$ 1 - + ^/etc/sssd/(sssd|conf\.d/.*)\.conf$ ^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*user[ \t]*=[ \t]*(\S*) 1 @@ -318647,7 +318663,7 @@ which the system will be deployed as closely as possible.^[ \t]*AuditBackend=(.+?)[ \t]*(?:$|#) 1 - + ^/etc/usbguard/usbguard-daemon.conf @@ -318659,22 +318675,22 @@ which the system will be deployed as closely as possible. xorg-x11-server-Xwayland - + /etc/systemd/system/default.target - + /etc/pam.d/fingerprint-auth - + /etc/pam.d/password-auth - + /etc/pam.d/postlogin - + /etc/pam.d/smartcard-auth - + /etc/pam.d/system-auth @@ -318739,24 +318755,24 @@ which the system will be deployed as closely as possible.^\s*(?:auth.*pam_faillock\.so.*)?dir\s*=\s*(\S+) 1 - + oval:ssg-var_account_password_selinux_faillock_dir_collector:var:1 - + /etc/pam.d/system-auth 1 - + /etc/pam.d/password-auth 1 - + /etc/security/faillock.conf ^\s*audit 1 @@ -318811,124 +318827,124 @@ which the system will be deployed as closely as possible.^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ 1 - + /etc/pam.d/system-auth 1 - + /etc/pam.d/password-auth 1 - + /etc/security/faillock.conf ^\s*audit 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 - + /etc/pam.d/system-auth 1 oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1 - + /etc/pam.d/password-auth 1 oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1 - + /etc/pam.d/system-auth 1 @@ -318939,147 +318955,147 @@ which the system will be deployed as closely as possible. oval:ssg-var_faillock_dir_set_both_preauth_authfail_password_auth:var:1 - + /etc/security/faillock.conf 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 - + /etc/pam.d/system-auth 1 - + /etc/pam.d/password-auth 1 - + /etc/security/faillock.conf ^\s*silent 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/pam.d/system-auth$ 1 - + ^/etc/pam.d/password-auth$ 1 - + ^/etc/security/faillock.conf$ 1 @@ -319109,7 +319125,7 @@ which the system will be deployed as closely as possible.^[\s]*retry[\s]*=[\s]*(\d+)(?:[\s]|$) 1 - + /etc/libuser.conf ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ 1 @@ -319123,12 +319139,12 @@ which the system will be deployed as closely as possible. oval:ssg-variable_last_encrypt_method_instance_value:var:1 - + /etc/pam.d/password-auth ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 - + /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 @@ -319158,7 +319174,7 @@ which the system will be deployed as closely as possible.^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ 1 - + /etc/systemd/system/ctrl-alt-del.target @@ -319176,7 +319192,7 @@ which the system will be deployed as closely as possible.^\s*\[Login\].*(?:\n\s*[^[\s].*)*\n^\s*StopIdleSessionSec[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 - + ^/etc/systemd/logind.conf @@ -319189,12 +319205,12 @@ which the system will be deployed as closely as possible.^Requires=.*emergency\.service 1 - + /etc/systemd/system ^emergency.service$ - + /etc/systemd/system ^emergency.target$ @@ -319393,7 +319409,7 @@ which the system will be deployed as closely as possible.^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ 1 - + oval:ssg-var_password_pam_unix_rounds:var:1 @@ -319401,7 +319417,7 @@ which the system will be deployed as closely as possible.^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ 1 - + oval:ssg-var_password_pam_unix_rounds:var:1 @@ -319434,22 +319450,22 @@ which the system will be deployed as closely as possible. \.forward$ - + /etc/group ^\+.*$ 1 - + /etc/passwd ^\+.*$ 1 - + /etc/shadow ^\+.*$ 1 - + /home ^\.netrc$ @@ -319464,7 +319480,7 @@ which the system will be deployed as closely as possible.^root:.+:\d+:(\d+).+ 1 - + /etc/group 1 @@ -319511,22 +319527,22 @@ which the system will be deployed as closely as possible.^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt|\/bin\/false|\/usr\/bin\/false).*$ 1 - + /etc/securetty ^ttyS[0-9]+$ 1 - + /etc/securetty ^vc/[0-9]+$ 1 - + /etc/pam.d/su ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ 1 - + /etc/pam.d/su ^\s*auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)[^#]*\bgroup=([_a-z][-0-9_a-z]*) 1 @@ -319536,7 +319552,7 @@ which the system will be deployed as closely as possible.^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:#.*)?$ 1 - + /etc/login.defs ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) 1 @@ -319874,7 +319890,7 @@ which the system will be deployed as closely as possible. PATH - + oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 @@ -319884,7 +319900,7 @@ which the system will be deployed as closely as possible. PATH - + /etc/bashrc ^[\s]*umask[\s]+([^#\s]*) 1 @@ -319892,7 +319908,7 @@ which the system will be deployed as closely as possible. oval:ssg-var_etc_bashrc_umask_as_number:var:1 - + /etc/csh.cshrc ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 @@ -319900,7 +319916,7 @@ which the system will be deployed as closely as possible. oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1 - + /etc/login.defs ^[\s]*UMASK[\s]+([^#\s]*) 1 @@ -319927,7 +319943,7 @@ which the system will be deployed as closely as possible.1 oval:ssg-state_object_accounts_umask_interactive_users_objects_users_ignored:ste:1 - + ^\..* ^[\s]*umask\s* @@ -320224,92 +320240,92 @@ which the system will be deployed as closely as possible. 1 - + /var/log/audit oval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1 - + /var/log/audit oval:ssg-state_group_owner_not_root_var_log_audit_directories-non_root:ste:1 - + oval:ssg-state_group_owner_not_root_var_log_audit_directories:ste:1 - + - + oval:ssg-state_owner_not_root_var_log_audit_directories:ste:1 - + /var/log/audit oval:ssg-state_owner_not_root_var_log_audit_directories:ste:1 - + oval:ssg-state_not_mode_0700:ste:1 - + /var/log/audit oval:ssg-state_not_mode_0700:ste:1 - + oval:ssg-state_group_owner_not_root_var_log_audit:ste:1 - + /var/log/audit/audit.log oval:ssg-state_group_owner_not_root_var_log_audit:ste:1 - + /var/log/audit oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 - + /var/log/audit ^.*$ oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 - + /var/log/audit oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 - + /var/log/audit ^.*$ oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 - + oval:ssg-state_owner_not_root_var_log_audit:ste:1 - + /var/log/audit/audit.log oval:ssg-state_owner_not_root_var_log_audit:ste:1 - + oval:ssg-state_not_mode_0600:ste:1 - + /var/log/audit/audit.log oval:ssg-state_not_mode_0600:ste:1 @@ -320691,7 +320707,7 @@ which the system will be deployed as closely as possible.(?:.*\n)* 1 - + ^CONFIG_RANDOM_TRUST_CPU=(y|Y)$ @@ -320765,13 +320781,13 @@ which the system will be deployed as closely as possible.^\s*image\s*=.*$ 1 - + /boot/bootmap - + /etc/zipl.conf - + ^/boot/loader/entries/.*\.conf$ @@ -320813,34 +320829,34 @@ which the system will be deployed as closely as possible.^[\s]*cron\.\*[\s]+/var/log/cron\s*(?:#.*)?$ 1 - + /etc/rsyslog.conf ^\$ActionSendStreamDriverAuthMode x509/name$ 1 - + /etc/rsyslog.d ^.*conf$ ^\$ActionSendStreamDriverAuthMode x509/name$ 1 - + /etc/rsyslog.conf ^\$ActionSendStreamDriverMode 1$ 1 - + /etc/rsyslog.d ^.*conf$ ^\$ActionSendStreamDriverMode 1$ 1 - + /etc/rsyslog.conf ^\$DefaultNetstreamDriver gtls$ 1 - + /etc/rsyslog.d ^.*conf$ ^\$DefaultNetstreamDriver gtls$ @@ -320963,24 +320979,19 @@ which the system will be deployed as closely as possible.^.*$ oval:ssg-state_promisc:ste:1 - - /etc/firewalld/firewalld.conf - ^DefaultZone=drop$ - 1 - - + /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_DEFAULTGW=.+$ 1 - + /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_PRIVACY=rfc3041$ 1 - + /etc/sysconfig/network-scripts ifcfg-.* ^IPV6ADDR=.+$ @@ -320992,12 +321003,12 @@ which the system will be deployed as closely as possible.^\s*options\s+ipv6\s+.*disable=1.*$ 1 - + /etc/netconfig ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ 1 - + /etc/netconfig ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ 1 @@ -321011,29 +321022,29 @@ which the system will be deployed as closely as possible. oval:ssg-state_uid_is_not_root_and_world_writable:ste:1 - + / oval:ssg-state_world_writable_and_not_sticky:ste:1 - + / oval:ssg-state_uid_is_user_and_world_writable:ste:1 - + / oval:ssg-state_gid_is_user_and_world_writable:ste:1 - + /boot ^System\.map.*$ - + / ^.*$ @@ -321049,13 +321060,13 @@ which the system will be deployed as closely as possible..* - + / ^.*$ oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1 - + / ^.*$ @@ -321071,13 +321082,13 @@ which the system will be deployed as closely as possible..* - + / ^.*$ oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1 - + / ^.*$ @@ -321086,7 +321097,7 @@ which the system will be deployed as closely as possible.oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1 - + / .* @@ -321100,28 +321111,28 @@ which the system will be deployed as closely as possible. .* - + / .* oval:ssg-file_permissions_unowned_userid_list_match:ste:1 - + ^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin ^.*$ oval:ssg-state_groupowner_system_commands_dirs_not_root_or_system_account:ste:1 - + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec oval:ssg-state_owner_binaries_not_root:ste:1 - + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_owner_binaries_not_root:ste:1 - + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 @@ -321136,7 +321147,7 @@ which the system will be deployed as closely as possible.^/\w.*$ oval:ssg-state_local_nodev:ste:1 - + /etc/fstab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 @@ -321144,7 +321155,7 @@ which the system will be deployed as closely as possible. ^/var/tmp$ - + /etc/mtab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 @@ -321191,7 +321202,7 @@ which the system will be deployed as closely as possible.^[\s]*\*[\s]+(?:hard|-)[\s]+core 1 - + /etc/init.d/functions ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 @@ -321251,21 +321262,21 @@ which the system will be deployed as closely as possible.^.*(selinux|enforcing)=0.*$ 1 - + /dev ^.*$ oval:ssg-state_block_or_char_device_file:ste:1 - + oval:ssg-state_selinux_dev_device_t:ste:1 - + oval:ssg-state_selinux_dev_unlabeled_t:ste:1 - + /proc ^.*$ @@ -321299,22 +321310,22 @@ which the system will be deployed as closely as possible.^.*\.(.*)$ 1 - + /etc/dconf/db/gdm - + ^/etc/dconf/db/gdm.d/.* - + oval:ssg-var_dconf_gdm_db_modified_time:var:1 - + /etc/dconf/db/local - + ^/etc/dconf/db/local.d/.* - + oval:ssg-var_dconf_local_db_modified_time:var:1 @@ -321385,7 +321396,7 @@ which the system will be deployed as closely as possible.^\s*\[xdmcp\].*(?:\n\s*[^[\s].*)*\n^\s*Enable[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 - + ^/etc/gdm/custom.conf @@ -321633,13 +321644,13 @@ which the system will be deployed as closely as possible.^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ 1 - + /etc/crypto-policies/state/current - + /etc/crypto-policies/config - + oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 @@ -321663,10 +321674,10 @@ which the system will be deployed as closely as possible. oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 - + /etc/krb5.conf.d/crypto-policies - + /etc/crypto-policies/back-ends/krb5.config @@ -321786,11 +321797,11 @@ which the system will be deployed as closely as possible. MFEcma - + /opt/NAI/LinuxShield/engine/dat ^.*\.dat$ - + oval:ssg-variable_mcafee_dat_files_mtime:var:1 @@ -321823,7 +321834,7 @@ which the system will be deployed as closely as possible.fips=1 1 - + /etc/system-fips @@ -321877,12 +321888,12 @@ which the system will be deployed as closely as possible.^/usr/sbin/augenrules\s+([^\n]+)$ 1 - + /etc/crontab ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ 1 - + /etc/cron.d ^.*$ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ @@ -321893,23 +321904,23 @@ which the system will be deployed as closely as possible.^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ 1 - + ^/etc/cron.(daily|weekly)$ ^.*$ ^[^#]*\/usr\/sbin\/aide\s+\-\-check\s*$ 1 - + /etc/crontab ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 - + /var/spool/cron/root ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 - + ^/etc/cron.(d|daily|weekly|monthly)$ ^.*$ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ @@ -321975,10 +321986,10 @@ which the system will be deployed as closely as possible..* oval:ssg-state_files_fail_mode:ste:1 - + /usr/bin/sudo - + /etc/group 1 @@ -322112,7 +322123,7 @@ which the system will be deployed as closely as possible.^Defaults runaspw$\r?\n 1 - + /etc/yum.conf ^\s*clean_requirements_on_remove\s*=\s*(1|True|yes)\s*$ 1 @@ -322122,7 +322133,7 @@ which the system will be deployed as closely as possible.^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*apply_updates[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 - + ^/etc/dnf/automatic.conf @@ -322130,15 +322141,15 @@ which the system will be deployed as closely as possible.^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 - + ^/etc/dnf/automatic.conf - + /etc/yum.conf ^\s*gpgcheck\s*=\s*1\s*$ 1 - + /etc/yum.conf ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 @@ -322149,7 +322160,7 @@ which the system will be deployed as closely as possible.^\s*gpgcheck\s*=\s*0\s*$ 1 - + /etc/yum.conf ^\s*repo_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 @@ -325240,168 +325251,168 @@ which the system will be deployed as closely as possible.^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$ 1 - + /lib oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_0:ste:1 - + /lib64 oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_1:ste:1 - + /usr/lib oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_2:ste:1 - + /usr/lib64 oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_3:ste:1 - + /bin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_0:ste:1 - + /sbin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_1:ste:1 - + /usr/bin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_2:ste:1 - + /usr/sbin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_3:ste:1 - + /usr/local/bin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_4:ste:1 - + /usr/local/sbin oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_5:ste:1 - + /lib oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_0:ste:1 - + /lib64 oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_1:ste:1 - + /usr/lib oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_2:ste:1 - + /usr/lib64 oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_3:ste:1 - + /bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_0_mode_0755or_stricter_:ste:1 - + /sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_1_mode_0755or_stricter_:ste:1 - + /usr/bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_2_mode_0755or_stricter_:ste:1 - + /usr/sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_3_mode_0755or_stricter_:ste:1 - + /usr/local/bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_4_mode_0755or_stricter_:ste:1 - + /usr/local/sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_5_mode_0755or_stricter_:ste:1 - + /lib oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_library_dirs_0_mode_7755or_stricter_:ste:1 - + /lib64 oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_library_dirs_1_mode_7755or_stricter_:ste:1 - + /usr/lib oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_library_dirs_2_mode_7755or_stricter_:ste:1 - + /usr/lib64 @@ -325413,311 +325424,311 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_disable_host_auth:obj:1 - + /etc/at.deny - + /sbin/auditctl oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_0:ste:1 - + /sbin/aureport oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_1:ste:1 - + /sbin/ausearch oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_2:ste:1 - + /sbin/autrace oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_3:ste:1 - + /sbin/auditd oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_4:ste:1 - + /sbin/rsyslogd oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_5:ste:1 - + /sbin/augenrules oval:ssg-symlink_file_groupownerfile_audit_tools_group_ownership_uid_0:ste:1 oval:ssg-state_file_groupownerfile_audit_tools_group_ownership_gid_0_6:ste:1 - + /sbin/auditctl oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_0:ste:1 - + /sbin/aureport oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_1:ste:1 - + /sbin/ausearch oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_2:ste:1 - + /sbin/autrace oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_3:ste:1 - + /sbin/auditd oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_4:ste:1 - + /sbin/rsyslogd oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_5:ste:1 - + /sbin/augenrules oval:ssg-symlink_file_ownerfile_audit_tools_ownership_uid_0:ste:1 oval:ssg-state_file_ownerfile_audit_tools_ownership_uid_0_6:ste:1 - + /sbin/auditctl oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_0_mode_0755or_stricter_:ste:1 - + /sbin/aureport oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_1_mode_0755or_stricter_:ste:1 - + /sbin/ausearch oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_2_mode_0755or_stricter_:ste:1 - + /sbin/autrace oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_3_mode_0755or_stricter_:ste:1 - + /sbin/auditd oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_4_mode_0755or_stricter_:ste:1 - + /sbin/rsyslogd oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_5_mode_0755or_stricter_:ste:1 - + /sbin/augenrules oval:ssg-exclude_symlinks_file_audit_tools_permissions:ste:1 oval:ssg-state_file_permissionsfile_audit_tools_permissions_6_mode_0755or_stricter_:ste:1 - + /etc/cron.deny - + /etc/at.allow oval:ssg-symlink_file_groupowner_at_allow_uid_0:ste:1 oval:ssg-state_file_groupowner_at_allow_gid_0_0:ste:1 - + /etc/group- oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1 oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1 - + /etc/gshadow- oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1 oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1 - + /etc/passwd- oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1 oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1 - + /etc/shadow- oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1 oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1 - + /etc/cron.allow oval:ssg-symlink_file_groupowner_cron_allow_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_allow_gid_0_0:ste:1 - + /etc/cron.d oval:ssg-symlink_file_groupowner_cron_d_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_d_gid_0_0:ste:1 - + /etc/cron.daily oval:ssg-symlink_file_groupowner_cron_daily_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_daily_gid_0_0:ste:1 - + /etc/cron.hourly oval:ssg-symlink_file_groupowner_cron_hourly_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_hourly_gid_0_0:ste:1 - + /etc/cron.monthly oval:ssg-symlink_file_groupowner_cron_monthly_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_monthly_gid_0_0:ste:1 - + /etc/cron.weekly oval:ssg-symlink_file_groupowner_cron_weekly_uid_0:ste:1 oval:ssg-state_file_groupowner_cron_weekly_gid_0_0:ste:1 - + /etc/crontab oval:ssg-symlink_file_groupowner_crontab_uid_0:ste:1 oval:ssg-state_file_groupowner_crontab_gid_0_0:ste:1 - + /boot/efi/EFI/redhat/grub.cfg oval:ssg-symlink_file_groupowner_efi_grub2_cfg_uid_0:ste:1 oval:ssg-state_file_groupowner_efi_grub2_cfg_gid_0_0:ste:1 - + /boot/efi/EFI/redhat/user.cfg oval:ssg-symlink_file_groupowner_efi_user_cfg_uid_0:ste:1 oval:ssg-state_file_groupowner_efi_user_cfg_gid_0_0:ste:1 - + /etc/group oval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1 - + /etc/gshadow oval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1 - + /etc/issue oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1 - + /etc/issue.net oval:ssg-symlink_file_groupowner_etc_issue_net_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_issue_net_gid_0_0:ste:1 - + /etc/motd oval:ssg-symlink_file_groupowner_etc_motd_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_motd_gid_0_0:ste:1 - + /etc/passwd oval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1 - + /etc/shadow oval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1 oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1 - + /boot/grub2/grub.cfg oval:ssg-symlink_file_groupowner_grub2_cfg_uid_0:ste:1 oval:ssg-state_file_groupowner_grub2_cfg_gid_0_0:ste:1 - + /etc/ssh/sshd_config oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1 oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1 - + /boot/grub2/user.cfg oval:ssg-symlink_file_groupowner_user_cfg_uid_0:ste:1 oval:ssg-state_file_groupowner_user_cfg_gid_0_0:ste:1 - + /var/log oval:ssg-symlink_file_groupowner_var_log_uid_0:ste:1 oval:ssg-state_file_groupowner_var_log_gid_0_0:ste:1 - + /var/log/messages oval:ssg-symlink_file_groupowner_var_log_messages_uid_0:ste:1 oval:ssg-state_file_groupowner_var_log_messages_gid_0_0:ste:1 - + /var/log/syslog oval:ssg-symlink_file_groupowner_var_log_syslog_uid_4:ste:1 oval:ssg-state_file_groupowner_var_log_syslog_gid_4_0:ste:1 - + /sbin/auditctl oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_0:ste:1 - + /sbin/aureport oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_1:ste:1 - + /sbin/ausearch oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_2:ste:1 - + /sbin/autrace oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_3:ste:1 - + /sbin/auditd oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_4:ste:1 - + /sbin/audispd oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_5:ste:1 - + /sbin/augenrules oval:ssg-symlink_file_groupownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_binaries_gid_0_6:ste:1 - + /etc/audit ^audit(\.rules|d\.conf)$ oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_configuration_gid_0_0:ste:1 - + /etc/audit/rules.d ^.*\.rules$ oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1 oval:ssg-state_file_groupownership_audit_configuration_gid_0_1:ste:1 - + /etc/ssh ^.*_key$ oval:ssg-symlink_file_groupownership_sshd_private_key_uid_ssh_keys:ste:1 @@ -325728,464 +325739,464 @@ which the system will be deployed as closely as possible.^ssh_keys:\w+:(\w+):.* 1 - + /etc/ssh ^.*\.pub$ oval:ssg-symlink_file_groupownership_sshd_pub_key_uid_0:ste:1 oval:ssg-state_file_groupownership_sshd_pub_key_gid_0_0:ste:1 - + /etc/group- oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1 oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1 - + /etc/gshadow- oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1 oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1 - + /etc/passwd- oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1 oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1 - + /etc/shadow- oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1 oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1 - + /etc/cron.allow oval:ssg-symlink_file_owner_cron_allow_uid_0:ste:1 oval:ssg-state_file_owner_cron_allow_uid_0_0:ste:1 - + /etc/cron.d oval:ssg-symlink_file_owner_cron_d_uid_0:ste:1 oval:ssg-state_file_owner_cron_d_uid_0_0:ste:1 - + /etc/cron.daily oval:ssg-symlink_file_owner_cron_daily_uid_0:ste:1 oval:ssg-state_file_owner_cron_daily_uid_0_0:ste:1 - + /etc/cron.hourly oval:ssg-symlink_file_owner_cron_hourly_uid_0:ste:1 oval:ssg-state_file_owner_cron_hourly_uid_0_0:ste:1 - + /etc/cron.monthly oval:ssg-symlink_file_owner_cron_monthly_uid_0:ste:1 oval:ssg-state_file_owner_cron_monthly_uid_0_0:ste:1 - + /etc/cron.weekly oval:ssg-symlink_file_owner_cron_weekly_uid_0:ste:1 oval:ssg-state_file_owner_cron_weekly_uid_0_0:ste:1 - + /etc/crontab oval:ssg-symlink_file_owner_crontab_uid_0:ste:1 oval:ssg-state_file_owner_crontab_uid_0_0:ste:1 - + /boot/efi/EFI/redhat/grub.cfg oval:ssg-symlink_file_owner_efi_grub2_cfg_uid_0:ste:1 oval:ssg-state_file_owner_efi_grub2_cfg_uid_0_0:ste:1 - + /boot/efi/EFI/redhat/user.cfg oval:ssg-symlink_file_owner_efi_user_cfg_uid_0:ste:1 oval:ssg-state_file_owner_efi_user_cfg_uid_0_0:ste:1 - + /etc/group oval:ssg-symlink_file_owner_etc_group_uid_0:ste:1 oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1 - + /etc/gshadow oval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1 oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1 - + /etc/issue oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1 oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1 - + /etc/issue.net oval:ssg-symlink_file_owner_etc_issue_net_uid_0:ste:1 oval:ssg-state_file_owner_etc_issue_net_uid_0_0:ste:1 - + /etc/motd oval:ssg-symlink_file_owner_etc_motd_uid_0:ste:1 oval:ssg-state_file_owner_etc_motd_uid_0_0:ste:1 - + /etc/passwd oval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1 oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1 - + /etc/shadow oval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1 oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1 - + /boot/grub2/grub.cfg oval:ssg-symlink_file_owner_grub2_cfg_uid_0:ste:1 oval:ssg-state_file_owner_grub2_cfg_uid_0_0:ste:1 - + /etc/ssh/sshd_config oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1 oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1 - + /boot/grub2/user.cfg oval:ssg-symlink_file_owner_user_cfg_uid_0:ste:1 oval:ssg-state_file_owner_user_cfg_uid_0_0:ste:1 - + /var/log oval:ssg-symlink_file_owner_var_log_uid_0:ste:1 oval:ssg-state_file_owner_var_log_uid_0_0:ste:1 - + /var/log/messages oval:ssg-symlink_file_owner_var_log_messages_uid_0:ste:1 oval:ssg-state_file_owner_var_log_messages_uid_0_0:ste:1 - + /var/log/syslog oval:ssg-symlink_file_owner_var_log_syslog_uid_104:ste:1 oval:ssg-state_file_owner_var_log_syslog_uid_104_0:ste:1 - + /sbin/auditctl oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_0:ste:1 - + /sbin/aureport oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_1:ste:1 - + /sbin/ausearch oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_2:ste:1 - + /sbin/autrace oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_3:ste:1 - + /sbin/auditd oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_4:ste:1 - + /sbin/audispd oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_5:ste:1 - + /sbin/augenrules oval:ssg-symlink_file_ownership_audit_binaries_uid_0:ste:1 oval:ssg-state_file_ownership_audit_binaries_uid_0_6:ste:1 - + /etc/audit ^audit(\.rules|d\.conf)$ oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1 oval:ssg-state_file_ownership_audit_configuration_uid_0_0:ste:1 - + /etc/audit/rules.d ^.*\.rules$ oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1 oval:ssg-state_file_ownership_audit_configuration_uid_0_1:ste:1 - + /lib ^.*$ oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1 - + /lib64 ^.*$ oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1 - + /usr/lib ^.*$ oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1 - + /usr/lib64 ^.*$ oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1 - + /etc/ssh ^.*_key$ oval:ssg-symlink_file_ownership_sshd_private_key_uid_0:ste:1 oval:ssg-state_file_ownership_sshd_private_key_uid_0_0:ste:1 - + /etc/ssh ^.*\.pub$ oval:ssg-symlink_file_ownership_sshd_pub_key_uid_0:ste:1 oval:ssg-state_file_ownership_sshd_pub_key_uid_0_0:ste:1 - + /etc/at.allow oval:ssg-exclude_symlinks__at_allow:ste:1 oval:ssg-state_file_permissions_at_allow_0_mode_0600or_stricter_:ste:1 - + /sbin/auditctl oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_0_mode_0755or_stricter_:ste:1 - + /sbin/aureport oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_1_mode_0755or_stricter_:ste:1 - + /sbin/ausearch oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_2_mode_0755or_stricter_:ste:1 - + /sbin/autrace oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_3_mode_0755or_stricter_:ste:1 - + /sbin/auditd oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_4_mode_0755or_stricter_:ste:1 - + /sbin/audispd oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_5_mode_0755or_stricter_:ste:1 - + /sbin/augenrules oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_6_mode_0755or_stricter_:ste:1 - + /etc/audit .*audit\(\.rules\|d\.conf\)$ oval:ssg-exclude_symlinks__audit_configuration:ste:1 oval:ssg-state_file_permissions_audit_configuration_0_mode_0640or_stricter_:ste:1 - + /etc/audit/rules.d .*\.rules$ oval:ssg-exclude_symlinks__audit_configuration:ste:1 oval:ssg-state_file_permissions_audit_configuration_1_mode_0640or_stricter_:ste:1 - + /etc/group- oval:ssg-exclude_symlinks__backup_etc_group:ste:1 oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1 - + /etc/gshadow- oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1 oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1 - + /etc/passwd- oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1 oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1 - + /etc/shadow- oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1 oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1 - + /etc/cron.allow oval:ssg-exclude_symlinks__cron_allow:ste:1 oval:ssg-state_file_permissions_cron_allow_0_mode_0600or_stricter_:ste:1 - + /etc/cron.d oval:ssg-exclude_symlinks__cron_d:ste:1 oval:ssg-state_file_permissions_cron_d_0_mode_0700or_stricter_:ste:1 - + /etc/cron.daily oval:ssg-exclude_symlinks__cron_daily:ste:1 oval:ssg-state_file_permissions_cron_daily_0_mode_0700or_stricter_:ste:1 - + /etc/cron.hourly oval:ssg-exclude_symlinks__cron_hourly:ste:1 oval:ssg-state_file_permissions_cron_hourly_0_mode_0700or_stricter_:ste:1 - + /etc/cron.monthly oval:ssg-exclude_symlinks__cron_monthly:ste:1 oval:ssg-state_file_permissions_cron_monthly_0_mode_0700or_stricter_:ste:1 - + /etc/cron.weekly oval:ssg-exclude_symlinks__cron_weekly:ste:1 oval:ssg-state_file_permissions_cron_weekly_0_mode_0700or_stricter_:ste:1 - + /etc/crontab oval:ssg-exclude_symlinks__crontab:ste:1 oval:ssg-state_file_permissions_crontab_0_mode_0600or_stricter_:ste:1 - + /boot/efi/EFI/redhat/grub.cfg oval:ssg-exclude_symlinks__efi_grub2_cfg:ste:1 oval:ssg-state_file_permissions_efi_grub2_cfg_0_mode_0700or_stricter_:ste:1 - + /boot/efi/EFI/redhat/user.cfg oval:ssg-exclude_symlinks__efi_user_cfg:ste:1 oval:ssg-state_file_permissions_efi_user_cfg_0_mode_0700or_stricter_:ste:1 - + /etc/audit/auditd.conf oval:ssg-exclude_symlinks__etc_audit_auditd:ste:1 oval:ssg-state_file_permissions_etc_audit_auditd_0_mode_0640or_stricter_:ste:1 - + /etc/audit/rules.d ^.*rules$ oval:ssg-exclude_symlinks__etc_audit_rulesd:ste:1 oval:ssg-state_file_permissions_etc_audit_rulesd_0_mode_0640or_stricter_:ste:1 - + /etc/group oval:ssg-exclude_symlinks__etc_group:ste:1 oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1 - + /etc/gshadow oval:ssg-exclude_symlinks__etc_gshadow:ste:1 oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1 - + /etc/issue oval:ssg-exclude_symlinks__etc_issue:ste:1 oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1 - + /etc/issue.net oval:ssg-exclude_symlinks__etc_issue_net:ste:1 oval:ssg-state_file_permissions_etc_issue_net_0_mode_0644or_stricter_:ste:1 - + /etc/motd oval:ssg-exclude_symlinks__etc_motd:ste:1 oval:ssg-state_file_permissions_etc_motd_0_mode_0644or_stricter_:ste:1 - + /etc/passwd oval:ssg-exclude_symlinks__etc_passwd:ste:1 oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1 - + /etc/shadow oval:ssg-exclude_symlinks__etc_shadow:ste:1 oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1 - + /boot/grub2/grub.cfg oval:ssg-exclude_symlinks__grub2_cfg:ste:1 oval:ssg-state_file_permissions_grub2_cfg_0_mode_0600or_stricter_:ste:1 - + /lib ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1 - + /lib64 ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1 - + /usr/lib ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1 - + /usr/lib64 ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1 - + /etc/ssh/sshd_config oval:ssg-exclude_symlinks__sshd_config:ste:1 oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1 - + /etc/ssh ^.*\.pub$ oval:ssg-exclude_symlinks__sshd_pub_key:ste:1 oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1 - + /boot/grub2/user.cfg oval:ssg-exclude_symlinks__user_cfg:ste:1 oval:ssg-state_file_permissions_user_cfg_0_mode_0600or_stricter_:ste:1 - + /var/log oval:ssg-exclude_symlinks__var_log:ste:1 oval:ssg-state_file_permissions_var_log_0_mode_0755or_stricter_:ste:1 - + /var/log/messages oval:ssg-exclude_symlinks__var_log_messages:ste:1 oval:ssg-state_file_permissions_var_log_messages_0_mode_0640or_stricter_:ste:1 - + /var/log/syslog oval:ssg-exclude_symlinks__var_log_syslog:ste:1 oval:ssg-state_file_permissions_var_log_syslog_0_mode_0640or_stricter_:ste:1 @@ -326561,7 +326572,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_acpi_custom_method_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326573,7 +326584,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_arm64_sw_ttbr0_pan_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326585,7 +326596,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_binfmt_misc_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326597,7 +326608,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_bug_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326609,7 +326620,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_bug_on_data_corruption_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326621,7 +326632,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_compat_brk_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326633,7 +326644,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_compat_vdso_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326645,7 +326656,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_credentials_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326657,7 +326668,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_fs_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326669,7 +326680,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_list_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326681,7 +326692,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_notifiers_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326693,7 +326704,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_sg_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326705,7 +326716,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_debug_wx_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326717,7 +326728,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_default_mmap_min_addr_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326729,7 +326740,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_devkmem_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326741,7 +326752,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_fortify_source_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326753,7 +326764,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_gcc_plugin_latent_entropy_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326765,7 +326776,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_gcc_plugin_structleak_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326777,7 +326788,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_hardened_usercopy_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326789,7 +326800,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_hardened_usercopy_fallback_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326801,7 +326812,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_hibernation_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326813,7 +326824,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_ia32_emulation_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326825,7 +326836,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_ipv6_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326837,7 +326848,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_kexec_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326849,7 +326860,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_legacy_ptys_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326861,7 +326872,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_legacy_vsyscall_emulate_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326873,7 +326884,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_legacy_vsyscall_none_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326885,7 +326896,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_modify_ldt_syscall_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326897,7 +326908,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326909,7 +326920,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_all_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326921,7 +326932,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_force_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326933,7 +326944,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_hash_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326945,7 +326956,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_key_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326957,7 +326968,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_module_sig_sha512_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326969,7 +326980,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_page_poisoning_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326981,7 +326992,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_page_poisoning_no_sanity_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -326993,7 +327004,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_page_poisoning_zero_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327005,7 +327016,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_page_table_isolation_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327017,7 +327028,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_panic_on_oops_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327029,7 +327040,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_panic_timeout_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327041,7 +327052,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_proc_kcore_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327053,7 +327064,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_randomize_base_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327065,7 +327076,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_randomize_memory_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327077,7 +327088,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_refcount_full_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327089,7 +327100,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_retpoline_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327101,7 +327112,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_sched_stack_end_check_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327113,7 +327124,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_seccomp_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327125,7 +327136,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_seccomp_filter_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327137,7 +327148,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_security_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327149,7 +327160,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_security_dmesg_restrict_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327161,7 +327172,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_security_writable_hooks_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327173,7 +327184,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_security_yama_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327185,7 +327196,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_slab_freelist_hardened_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327197,7 +327208,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_slab_freelist_random_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327209,7 +327220,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_slab_merge_default_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327221,7 +327232,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_slub_debug_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327233,7 +327244,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_stackprotector_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327245,7 +327256,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_stackprotector_strong_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327257,7 +327268,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_strict_kernel_rwx_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327269,7 +327280,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_strict_module_rwx_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327281,7 +327292,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_syn_cookies_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327293,7 +327304,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_unmap_kernel_at_el0_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327305,7 +327316,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_vmap_stack_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327317,7 +327328,7 @@ which the system will be deployed as closely as possible. oval:ssg-local_var_config_x86_vsyscall_emulation_count_kernels_installed:var:1 - + /boot ^config-.*$ @@ -327585,106 +327596,106 @@ which the system will be deployed as closely as possible.^blacklist\s+vfat$ 1 - + /boot/efi - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot/efi[\s]+[\S]+[\s]+([\S]+) 1 - + /boot - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+) 1 - + /boot - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+) 1 - + /boot - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+) 1 - + /boot - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/boot[\s]+[\S]+[\s]+([\S]+) 1 - + /dev/shm - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 - + /dev/shm - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 - + /dev/shm - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 - + /home - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 @@ -327759,146 +327770,146 @@ which the system will be deployed as closely as possible. 1 - + /opt - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/opt[\s]+[\S]+[\s]+([\S]+) 1 - + /proc - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/proc[\s]+[\S]+[\s]+([\S]+) 1 - + /srv - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/srv[\s]+[\S]+[\s]+([\S]+) 1 - + /tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log/audit - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log/audit - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log/audit - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 - + /var/log - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 - + /var - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) 1 - + /var - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) 1 - + /var - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) 1 - + /var/tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /var/tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 - + /var/tmp - + /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 @@ -328305,28 +328316,28 @@ which the system will be deployed as closely as possible. /var/tmp - + /lib ^.*$ oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1 oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_0:ste:1 - + /lib64 ^.*$ oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1 oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_1:ste:1 - + /usr/lib ^.*$ oval:ssg-symlink_file_groupownerroot_permissions_syslibrary_files_uid_0:ste:1 oval:ssg-state_file_groupownerroot_permissions_syslibrary_files_gid_0_2:ste:1 - + /usr/lib64 ^.*$ @@ -329309,893 +329320,898 @@ which the system will be deployed as closely as possible. zoneminder_run_sudo - + ^abrtd\.(service|socket)$ ActiveState - + ^abrtd\.(service|socket)$ LoadState abrt - + ^acpid\.(service|socket)$ ActiveState - + ^acpid\.(service|socket)$ LoadState acpid - + ^atd\.(service|socket)$ ActiveState - + ^atd\.(service|socket)$ LoadState at - + multi-user.target - + multi-user.target - + ^auditd\.(socket|service)$ ActiveState audit - + ^autofs\.(service|socket)$ ActiveState - + ^autofs\.(service|socket)$ LoadState autofs - + ^avahi-daemon\.(service|socket)$ ActiveState - + ^avahi-daemon\.(service|socket)$ LoadState avahi - + ^bluetooth\.(service|socket)$ ActiveState - + ^bluetooth\.(service|socket)$ LoadState bluez - + ^certmonger\.(service|socket)$ ActiveState - + ^certmonger\.(service|socket)$ LoadState certmonger - + multi-user.target - + multi-user.target - + ^chronyd\.(socket|service)$ ActiveState chrony - + ^cockpit\.(service|socket)$ ActiveState - + ^cockpit\.(service|socket)$ LoadState cockpit - + ^cpupower\.(service|socket)$ ActiveState - + ^cpupower\.(service|socket)$ LoadState kernel-tools - + multi-user.target - + multi-user.target - + ^cron\.(socket|service)$ ActiveState cron - + multi-user.target - + multi-user.target - + ^crond\.(socket|service)$ ActiveState cronie - + ^cups\.(service|socket)$ ActiveState - + ^cups\.(service|socket)$ LoadState cups - + ^debug-shell\.(service|socket)$ ActiveState - + ^debug-shell\.(service|socket)$ LoadState systemd - + ^dhcpd\.(service|socket)$ ActiveState - + ^dhcpd\.(service|socket)$ LoadState dhcp-server - + ^dovecot\.(service|socket)$ ActiveState - + ^dovecot\.(service|socket)$ LoadState dovecot - + multi-user.target - + multi-user.target - + ^fapolicyd\.(socket|service)$ ActiveState fapolicyd - + multi-user.target - + multi-user.target - + ^firewalld\.(socket|service)$ ActiveState firewalld - + ^httpd\.(service|socket)$ ActiveState - + ^httpd\.(service|socket)$ LoadState httpd - + multi-user.target - + multi-user.target - + ^ip6tables\.(socket|service)$ ActiveState iptables-ipv6 - + multi-user.target - + multi-user.target - + ^iptables\.(socket|service)$ ActiveState iptables - + ^kdump\.(service|socket)$ ActiveState - + ^kdump\.(service|socket)$ LoadState kexec-tools - + ^mdmonitor\.(service|socket)$ ActiveState - + ^mdmonitor\.(service|socket)$ LoadState mdadm - + multi-user.target - + multi-user.target - + ^nails\.(socket|service)$ ActiveState nails - + ^named\.(service|socket)$ ActiveState - + ^named\.(service|socket)$ LoadState bind - + ^netconsole\.(service|socket)$ ActiveState - + ^netconsole\.(service|socket)$ LoadState netconsole - + ^netfs\.(service|socket)$ ActiveState - + ^netfs\.(service|socket)$ LoadState netfs - + ^nfs-server\.(service|socket)$ ActiveState - + ^nfs-server\.(service|socket)$ LoadState nfs-utils - + ^nfslock\.(service|socket)$ ActiveState - + ^nfslock\.(service|socket)$ LoadState nfs-utils - + ^nftables\.(service|socket)$ ActiveState - + ^nftables\.(service|socket)$ LoadState nftables - + multi-user.target - + multi-user.target - + ^nftables\.(socket|service)$ ActiveState nftables - + multi-user.target - + multi-user.target - + ^ntp\.(socket|service)$ ActiveState ntp - + multi-user.target - + multi-user.target - + ^ntpd\.(socket|service)$ ActiveState ntp - + ^ntpdate\.(service|socket)$ ActiveState - + ^ntpdate\.(service|socket)$ LoadState ntpdate - + ^oddjobd\.(service|socket)$ ActiveState - + ^oddjobd\.(service|socket)$ LoadState oddjob - + multi-user.target - + multi-user.target - + ^pcscd\.(socket|service)$ ActiveState pcsc-lite - + ^portreserve\.(service|socket)$ ActiveState - + ^portreserve\.(service|socket)$ LoadState portreserve - + multi-user.target - + multi-user.target - + ^postfix\.(socket|service)$ ActiveState postfix - + multi-user.target - + multi-user.target - + ^psacct\.(socket|service)$ ActiveState psacct - + ^qpidd\.(service|socket)$ ActiveState - + ^qpidd\.(service|socket)$ LoadState qpid-cpp-server - + ^quota_nld\.(service|socket)$ ActiveState - + ^quota_nld\.(service|socket)$ LoadState quota-nld - + ^rdisc\.(service|socket)$ ActiveState - + ^rdisc\.(service|socket)$ LoadState iputils - + ^rexec\.(service|socket)$ ActiveState - + ^rexec\.(service|socket)$ LoadState rsh-server - + ^rhnsd\.(service|socket)$ ActiveState - + ^rhnsd\.(service|socket)$ LoadState rhnsd - + ^rhsmcertd\.(service|socket)$ ActiveState - + ^rhsmcertd\.(service|socket)$ LoadState subscription-manager - + ^rlogin\.(service|socket)$ ActiveState - + ^rlogin\.(service|socket)$ LoadState rsh-server - + multi-user.target - + multi-user.target - + ^rngd\.(socket|service)$ ActiveState rng-tools - + ^rpcbind\.(service|socket)$ ActiveState - + ^rpcbind\.(service|socket)$ LoadState rpcbind - + ^rpcgssd\.(service|socket)$ ActiveState - + ^rpcgssd\.(service|socket)$ LoadState nfs-utils - + ^rpcidmapd\.(service|socket)$ ActiveState - + ^rpcidmapd\.(service|socket)$ LoadState nfs-utils - + ^rpcsvcgssd\.(service|socket)$ ActiveState - + ^rpcsvcgssd\.(service|socket)$ LoadState nfs-utils - + ^rsh\.(service|socket)$ ActiveState - + ^rsh\.(service|socket)$ LoadState rsh - + ^rsyncd\.(service|socket)$ ActiveState - + ^rsyncd\.(service|socket)$ LoadState rsync-daemon - + multi-user.target - + multi-user.target - + ^rsyslog\.(socket|service)$ ActiveState rsyslog - + ^saslauthd\.(service|socket)$ ActiveState - + ^saslauthd\.(service|socket)$ LoadState cyrus-sasl - + ^slapd\.(service|socket)$ ActiveState - + ^slapd\.(service|socket)$ LoadState openldap-servers - + ^smb\.(service|socket)$ ActiveState - + ^smb\.(service|socket)$ LoadState samba - + ^snmpd\.(service|socket)$ ActiveState - + ^snmpd\.(service|socket)$ LoadState net-snmp - + ^squid\.(service|socket)$ ActiveState - + ^squid\.(service|socket)$ LoadState squid - + ^sshd\.(service|socket)$ ActiveState - + ^sshd\.(service|socket)$ LoadState openssh-server - + multi-user.target - + multi-user.target - + ^sshd\.(socket|service)$ ActiveState openssh-server - + multi-user.target - + multi-user.target - + ^sssd\.(socket|service)$ ActiveState sssd - + ^syslog\.(service|socket)$ ActiveState - + ^syslog\.(service|socket)$ LoadState rsyslog - + multi-user.target - + multi-user.target - + ^syslog-ng\.(socket|service)$ ActiveState syslog-ng - + ^sysstat\.(service|socket)$ ActiveState - + ^sysstat\.(service|socket)$ LoadState sysstat - + ^systemd-coredump.socket$ LoadState - + multi-user.target - + multi-user.target - + ^systemd-journald\.(socket|service)$ ActiveState systemd - + ^telnet\.(service|socket)$ ActiveState - + ^telnet\.(service|socket)$ LoadState telnet-server - + ^tftp\.(service|socket)$ ActiveState - + ^tftp\.(service|socket)$ LoadState tftp-server - + multi-user.target - + multi-user.target - + ^ufw\.(socket|service)$ ActiveState ufw - + multi-user.target - + multi-user.target - + ^usbguard\.(socket|service)$ ActiveState usbguard - + ^vsftpd\.(service|socket)$ ActiveState - + ^vsftpd\.(service|socket)$ LoadState vsftpd - + ^xinetd\.(service|socket)$ ActiveState - + ^xinetd\.(service|socket)$ LoadState xinetd - + ^ypbind\.(service|socket)$ ActiveState - + ^ypbind\.(service|socket)$ LoadState ypbind - + ^ypserv\.(service|socket)$ ActiveState - + ^ypserv\.(service|socket)$ LoadState ypserv - + ^zebra\.(service|socket)$ ActiveState - + ^zebra\.(service|socket)$ LoadState quagga - + + /etc/firewalld/firewalld.conf + ^[\s]*DefaultZone=drop[\s]*$ + 1 + + ^systemd-journal-remote.socket$ LoadState @@ -330204,7 +330220,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_empty_passwords:obj:1 @@ -330214,7 +330230,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_gssapi_auth:obj:1 @@ -330224,7 +330240,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_kerb_auth:obj:1 @@ -330234,7 +330250,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_pubkey_auth:obj:1 @@ -330244,7 +330260,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_rhosts:obj:1 @@ -330254,7 +330270,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_root_login:obj:1 @@ -330264,7 +330280,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_root_password_login:obj:1 @@ -330274,7 +330290,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)AllowTcpForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_tcp_forwarding:obj:1 @@ -330284,7 +330300,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_user_known_hosts:obj:1 @@ -330294,7 +330310,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_disable_x11_forwarding:obj:1 @@ -330304,7 +330320,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 @@ -330314,7 +330330,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_gssapi_auth:obj:1 @@ -330324,7 +330340,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)UsePAM(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_pam:obj:1 @@ -330334,7 +330350,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_pubkey_auth:obj:1 @@ -330344,7 +330360,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_strictmodes:obj:1 @@ -330354,7 +330370,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_warning_banner:obj:1 @@ -330364,7 +330380,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_warning_banner_net:obj:1 @@ -330374,7 +330390,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_enable_x11_forwarding:obj:1 @@ -330389,7 +330405,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_print_last_log:obj:1 @@ -330399,7 +330415,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_set_keepalive_0:obj:1 @@ -330409,7 +330425,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_set_loglevel_info:obj:1 @@ -330419,7 +330435,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_set_loglevel_verbose:obj:1 @@ -330434,7 +330450,7 @@ which the system will be deployed as closely as possible.^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 - + oval:ssg-obj_sshd_x11_use_localhost:obj:1 @@ -330484,7 +330500,7 @@ which the system will be deployed as closely as possible.^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b).*$ 1 - + /usr/bin/sudo oval:ssg-exclude_symlinks_sudo_restrict_others_executable_permission:ste:1 oval:ssg-state_file_permissionssudo_restrict_others_executable_permission_0_mode_4110or_stricter_:ste:1 @@ -334284,17 +334300,17 @@ which the system will be deployed as closely as possible.^[\s]*vm.mmap_min_addr[\s]*=[\s]*(.*)[\s]*$ 1 - + multi-user.target - + dnf-automatic\.timer ActiveState - + multi-user.target - + logrotate\.timer ActiveState @@ -334413,12 +334429,12 @@ which the system will be deployed as closely as possible.^(log_file\s*=\s*.*)$ 1 - + /etc/audit/auditd.conf ^[ ]*log_group[ ]+=[ ]+root[ ]*$ 1 - + /etc/audit/auditd.conf ^[ ]*log_group[ ]+=.*$ 1 @@ -334428,7 +334444,7 @@ which the system will be deployed as closely as possible.^\s*GRUB_DISABLE_RECOVERY=(.*)$ 1 - + ^/etc/chrony\.(conf|d/.+\.conf)$ ^([\s]*server[\s]+.+$){2,}$ 1 @@ -334470,7 +334486,7 @@ which the system will be deployed as closely as possible.^VERSION_ID="(\d)"$ 1 - + /etc/debian_version @@ -334495,7 +334511,7 @@ which the system will be deployed as closely as possible. oraclelinux-release - + /etc/os-release @@ -334507,7 +334523,7 @@ which the system will be deployed as closely as possible.openSUSE-release - + /etc/os-release @@ -334636,7 +334652,7 @@ which the system will be deployed as closely as possible. SLE_HPC-release - + /etc/lsb-release @@ -334686,13 +334702,13 @@ which the system will be deployed as closely as possible. openssh-server - - - - - - - + + + + + + + /etc/tmux.conf @@ -334711,13 +334727,13 @@ which the system will be deployed as closely as possible. - + ^(static|none)$ - + 0 - + false false false @@ -334726,7 +334742,7 @@ which the system will be deployed as closely as possible.false false - + false false false @@ -334770,50 +334786,50 @@ which the system will be deployed as closely as possible.false false - + 25 - + ::1 - + - + (?i)root - + - + ^permit_mynetworks[ \t]*[, \t][ \t]*reject$ - + ^.*,sec=krb5\:krb5i\:krb5p.*$ - + 0 - + 0 - + - + maxpoll \d+ - + - + 2 sec=(krb5i|ntlmv2i) - + symbolic link - + /etc/ssh .*_key$ 0 @@ -334829,7 +334845,7 @@ which the system will be deployed as closely as possible.false false - + /etc/ssh .*_key$ @@ -334844,344 +334860,344 @@ which the system will be deployed as closely as possible.false false - + 32 - + 32 - + - + - + - + - + - + - + 0 - + - + - + 0 - + - + 0 - + - + 0 - + 10 - + 30 - + 100 - + - + ^\s*CRYPTO_POLICY\s*=.*-oKexAlgorithms=(?=[\w-])(\becdh-sha2-nistp256\b,?)?(\becdh-sha2-nistp384\b,?)?(\becdh-sha2-nistp521\b,?)?(\bdiffie-hellman-group-exchange-sha256\b,?)?(\bdiffie-hellman-group14-sha256\b,?)?(\bdiffie-hellman-group16-sha512\b,?)?(\bdiffie-hellman-group18-sha512)?(\s.*)?'[\s]*(?:#.*)?$ - + - + - + - + ^.*pam.*$ - + ^.*(try_cert_auth|require_cert_auth).*$ - + ^.*allow_missing_name.*$ - + - + false - + sssd - + - + - + ^LinuxAudit$ - + /etc/systemd/system/default.target ^(/usr)?/lib/systemd/system/multi-user.target$ - + /etc/pam.d/fingerprint-auth /etc/authselect/fingerprint-auth - + /etc/pam.d/password-auth /etc/authselect/password-auth - + /etc/pam.d/postlogin /etc/authselect/postlogin - + /etc/pam.d/smartcard-auth /etc/authselect/smartcard-auth - + /etc/pam.d/system-auth /etc/authselect/system-auth - + - + - + - + - + faillog_t - + - + - + - + - + 0 - + /var/run/faillock - + 2 - + 2 - + - + - + - + 0 - + - + 5000 - + /etc/systemd/system/ctrl-alt-del.target /dev/null - + - + 0 - + 900 - + - + - + - + ^root$ - + - + - + - + - + -1 - + - + - + - + - + - + - + - + - + - + - + - + ^[x*]$ - + ^(!|!!|!\*|\*|!locked)$ - + ^(!\$6\$|!!\$6\$).*$ - + SHA-512 - + .* - + ^(!|!!|!\*|\*|!locked)$ - + 86400000 - + - + - + - + - + - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ - + 0 - + ^[^:]+:[^:]+:[0-9]+:\s*$ - + 1000 - + ^(root|halt|sync|shutdown|nfsnobody)$ - + ^(!|!!|!\*|\*|!locked).*$ - + 0 - + - + - + - + - + - + - + - + directory false false @@ -335193,7 +335209,7 @@ which the system will be deployed as closely as possible.false false - + directory false false @@ -335205,80 +335221,80 @@ which the system will be deployed as closely as possible.false false - + 1 - + - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ regular true - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ - + ^\/[^\/\n]*\/[^\/\n]{1,}.*$ - + ^(nobody|nfsnobody)$ - + - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + ^(nobody|nfsnobody)$ @@ -335290,55 +335306,55 @@ which the system will be deployed as closely as possible.false false - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ - + false - + false - + false - + false - + false - + false - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + ^(nobody|nfsnobody)$ - + ^(nobody|nfsnobody)$ - + - + - + false false false @@ -335348,16 +335364,16 @@ which the system will be deployed as closely as possible.false false - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ - + ^(nobody|nfsnobody)$ @@ -335370,13 +335386,13 @@ which the system will be deployed as closely as possible.false false - + 1000 - + ^(nobody|nfsnobody)$ - + ^/sbin/nologin$ @@ -335389,50 +335405,50 @@ which the system will be deployed as closely as possible.false false - + true true - + symbolic link - + ^[:\.] - + :: - + \.\. - + [:\.]$ - + ^[^/] - + [^\\]:[^/] - + - + - + - + - + ^(nobody|nfsnobody)$ - + ^\.bash_history - + @@ -335481,195 +335497,195 @@ which the system will be deployed as closely as possible.true true - + ^/dev/.*$ - + nosuid - + noexec - + true true - + ^/var/tmp/dracut.* - + - + - + - + - + - + - + - + - + SYSLOG - + SINGLE - + HALT - + - + SYSLOG - + SINGLE - + HALT - + - + - + - + - + - + - + rotate - + single - + - + - + - + - + - + ^(?i)(syslog|single|halt)(?-i)$ - + - + - + - + - + ^(?:.*\s)?random\.trust_cpu=on(?:\s.*)?$ - + ^(?:.*\s)?random\.trust_cpu=off(?:\s.*)?$ - + - + - + ^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$ - + - + - + ^['|\(](?!fd)(?!cd)(?!usb).*['|\)]$ - + - + - + \bsystemd.debug-shell\b - + \bsystemd.debug-shell\b - + 416 - + (?=[\S\s]*\s(?i)protocol(?-i)="tcp")(?=[\S\s]*\s(?i)Target(?-i)="[^"]+?")(?=[\S\s]*\s(?i)port(?-i)="6514")(?=[\S\s]*\s(?i)StreamDriver(?-i)="gtls")(?=[\S\s]*\s(?i)StreamDriverMode(?-i)="1")(?=[\S\s]*\s(?i)StreamDriverAuthMode(?-i)="x509/name")(?=[\S\s]*\s(?i)StreamDriver\.CheckExtendedKeyPurpose(?-i)="on") - + 0 - + ResultActive=auth_admin - + PROMISC - + UP - + 0 true - + false true - + 1000 true - + 1000 true - + 0 - + false false false @@ -335681,38 +335697,38 @@ which the system will be deployed as closely as possible.false false - + true - + - + true - + - + regular true - + ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ - + ^/proc/.*$ - + ^/sys/.*$ - + - + - + 1000 @@ -335722,184 +335738,184 @@ which the system will be deployed as closely as possible.true true - + symbolic link - + ^.*\bnousb\b.*$ - + ^/dev/.*$ nodev - + - + ^(?i)0(?-i)$ - + ^(?i)0(?-i)$ - + ^(?i)none(?-i)$ - + ^(?i)none(?-i)$ - + 0 - + 0 - + - + 1 - + ^(block|character) special$ - + device_t - + unlabeled_t - + unconfined_service_t - + ^(enforcing|permissive)$ - + - + - + x86_64 - + \blm\b - + ^(x86_64|aarch64|ppc64le|s390x)$ - + - + - + ^false$ - + - + - + - + - + - + - + /etc/crypto-policies/back-ends/krb5.config - + 1.2 - + - + - + 0:20210617-1 - + ^TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256$ - + ^final all$ - + ^512M 1h$ - + ^no$ - + ^aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc$ - + ^ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256$ - + ^hmac-sha2-512,hmac-sha2-256$ - + ^ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1$ - + - + - + ^'-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'$ - + - + - + /etc/profile.d/openssl-rand.sh SHA-256 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af - + - + fips - + ^(?:.*\s)?fips=1(?:\s.*)?$ - + ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$ - + 1 - + ^p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512$ - + ^.*sha512.*$ - + ^.*acl.*$ - + ^.*xattrs.*$ @@ -335907,73 +335923,73 @@ which the system will be deployed as closely as possible.false false - + fail - + fail - + fail - + - + /etc/sudoers.d - + ^yes$ - + ^security$ - + 4ae0493b fd431d51 - + 5b32db75 d4082792 - + 5ccc5b19 8483c65d - + - + - + - + - + - + 0 - + - + - + - + - + - + ## Unsuccessful file access (any other opens) This has to go last. -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access @@ -335981,14 +335997,14 @@ which the system will be deployed as closely as possible. - + ## Successful file access (any other opens) This has to go last. ## These next two are likely to result in a whole lot of events -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access - + ## First rule - delete all -D @@ -336004,7 +336020,7 @@ which the system will be deployed as closely as possible. - + ## Unsuccessful file creation (open with O_CREAT) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create @@ -336020,7 +336036,7 @@ which the system will be deployed as closely as possible. - + ## Successful file creation (open with O_CREAT) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create @@ -336030,7 +336046,7 @@ which the system will be deployed as closely as possible. - + ## Unsuccessful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete @@ -336038,19 +336054,19 @@ which the system will be deployed as closely as possible. - + ## Successful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete - + ## Make the loginuid immutable. This prevents tampering with the auid. --loginuid-immutable - + ## Unsuccessful file modifications (open for write or truncate) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification @@ -336066,7 +336082,7 @@ which the system will be deployed as closely as possible. - + ## Successful file modifications (open for write or truncate) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification @@ -336076,7 +336092,7 @@ which the system will be deployed as closely as possible. - + ## These rules watch for kernel module insertion. By monitoring ## the syscall, we do not need any watches on programs. -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load @@ -336085,7 +336101,7 @@ which the system will be deployed as closely as possible. - + ## The purpose of these rules is to meet the requirements for Operating ## System Protection Profile (OSPP)v4.2. These rules depends on having ## the following rule files copied to /etc/audit/rules.d: @@ -336172,7 +336188,7 @@ which the system will be deployed as closely as possible. - + ## Unsuccessful ownership change -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change @@ -336180,13 +336196,13 @@ which the system will be deployed as closely as possible. - + ## Successful ownership change -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change - + ## Unsuccessful permission change -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change @@ -336194,681 +336210,681 @@ which the system will be deployed as closely as possible. - + ## Successful permission change -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change - + ^(?i)50(?-i)$ - + ^(?i)yes(?-i)$ - + ^(?i)ENRICHED(?-i)$ - + ^(?i)yes(?-i)$ - + ^(?:.*\s)?selinux=0(?:\s.*)?$ - + ^(?:.*\s)?selinux=0(?:\s.*)?$ - + ^(?:.*\s)?selinux=0(?:\s.*)?$ - + ^true$ - + ^'lock-screen'$ - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + symbolic link - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + symbolic link - + false false - + false false - + false false - + false false - + symbolic link - + ^no$ - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 4 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + symbolic link - + - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + 104 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + 0 - + symbolic link - + 0 - + 0 - + 0 - + 0 - + symbolic link - + 0 - + symbolic link - + 0 - + symbolic link - + false false false @@ -336880,62 +336896,62 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + false false false false false - + symbolic link - + false false false @@ -336946,7 +336962,7 @@ which the system will be deployed as closely as possible.false false - + false false false @@ -336957,10 +336973,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -336970,10 +336986,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -336987,10 +337003,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337000,10 +337016,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337017,10 +337033,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337032,10 +337048,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337046,10 +337062,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337060,10 +337076,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337074,10 +337090,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337088,10 +337104,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337102,10 +337118,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337117,10 +337133,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337131,10 +337147,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337145,10 +337161,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337159,10 +337175,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337173,10 +337189,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337186,10 +337202,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337203,10 +337219,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337216,10 +337232,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337229,10 +337245,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337242,10 +337258,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337255,10 +337271,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337272,10 +337288,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337287,29 +337303,29 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false - + false false - + false false - + false false - + symbolic link - + false false false @@ -337321,10 +337337,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337334,10 +337350,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337349,20 +337365,20 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false false false - + symbolic link - + false false false @@ -337373,10 +337389,10 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + false false false @@ -337387,727 +337403,727 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + ^nftables$ - + ^(?:.*\s)?audit=1(?:\s.*)?$ - + ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ - + ^(?:.*\s)?iommu=force(?:\s.*)?$ - + ^(?:.*\s)?ipv6\.disable=1(?:\s.*)?$ - + - + ^(?:.*\s)?mce=0(?:\s.*)?$ - + ^(?:.*\s)?page_poison=1(?:\s.*)?$ - + ^(?:.*\s)?pti=on(?:\s.*)?$ - + - + ^(?:.*\s)?slab_nomerge=yes(?:\s.*)?$ - + - + - + ^(?:.*\s)?spectre_v2=on(?:\s.*)?$ - + ^(?:.*\s)?vsyscall=none(?:\s.*)?$ - + ^yes$ - + ^yes$ - + ^persistent$ - + n - + - + y - + - + n - + - + y - + - + y - + - + n - + - + n - + - + y - + - + n - + - + y - + - + y - + - + y - + - + y - + - + 65536 - + - + n - + - + y - + - + y - + - + y - + - + y - + - + n - + - + n - + - + n - + - + n - + - + n - + - + n - + - + n - + - + y - + - + n - + - + y - + - + y - + - + y - + - + - + - + - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + - + - + n - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + n - + - + y - + - + y - + - + y - + - + y - + - + n - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + y - + - + n - + - + nosuid - + 1 nosuid - + noauto - + 1 noauto - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + grpquota - + 1 grpquota - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + usrquota - + 1 usrquota - + ^.*sec=krb5:krb5i:krb5p.*$ - + ^.*nodev.*$ - + ^.*,?nodev,?.*$ - + ^.*,?nodev,?.* - + ^.*noexec.*$ - + ^.*,?noexec,?.*$ - + ^.*,?noexec,?.* - + ^.*nosuid.*$ - + ^.*,?nosuid,?.*$ - + ^.*,?nosuid,?.* - + nosuid - + 1 nosuid - + - + 1 - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + nodev - + 1 nodev - + noexec - + 1 noexec - + nosuid - + 1 nosuid - + 0 - + 0 - + 0 - + 0 - + symbolic link - + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) - + regular - + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) - + regular - + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) - + regular false false @@ -338119,2099 +338135,2099 @@ which the system will be deployed as closely as possible.false false - + abrt_anon_write - + abrt_handle_event - + abrt_upload_watch_anon_write - + antivirus_can_scan_system - + antivirus_use_jit - + auditadm_exec_content - + authlogin_nsswitch_use_ldap - + authlogin_radius - + authlogin_yubikey - + awstats_purge_apache_log_files - + boinc_execmem - + cdrecord_read_content - + cluster_can_network_connect - + cluster_manage_all_files - + cluster_use_execmem - + cobbler_anon_write - + cobbler_can_network_connect - + cobbler_use_cifs - + cobbler_use_nfs - + collectd_tcp_network_connect - + condor_tcp_network_connect - + conman_can_network - + container_connect_any - + cron_can_relabel - + cron_system_cronjob_use_shares - + cron_userdomain_transition - + cups_execmem - + cvs_read_shadow - + daemons_dump_core - + daemons_enable_cluster_mode - + daemons_use_tcp_wrapper - + daemons_use_tty - + dbadm_exec_content - + dbadm_manage_user_files - + dbadm_read_user_files - + deny_execmem - + deny_ptrace - + dhcpc_exec_iptables - + dhcpd_use_ldap - + domain_fd_use - + domain_kernel_load_modules - + entropyd_use_audio - + exim_can_connect_db - + exim_manage_user_files - + exim_read_user_files - + fcron_crond - + fenced_can_network_connect - + fenced_can_ssh - + fips_mode - + ftpd_anon_write - + ftpd_connect_all_unreserved - + ftpd_connect_db - + ftpd_full_access - + ftpd_use_cifs - + ftpd_use_fusefs - + ftpd_use_nfs - + ftpd_use_passive_mode - + git_cgi_enable_homedirs - + git_cgi_use_cifs - + git_cgi_use_nfs - + git_session_bind_all_unreserved_ports - + git_session_users - + git_system_enable_homedirs - + git_system_use_cifs - + git_system_use_nfs - + gitosis_can_sendmail - + glance_api_can_network - + glance_use_execmem - + glance_use_fusefs - + global_ssp - + gluster_anon_write - + gluster_export_all_ro - + gluster_export_all_rw - + gpg_web_anon_write - + gssd_read_tmp - + guest_exec_content - + haproxy_connect_any - + httpd_anon_write - + httpd_builtin_scripting - + httpd_can_check_spam - + httpd_can_connect_ftp - + httpd_can_connect_ldap - + httpd_can_connect_mythtv - + httpd_can_connect_zabbix - + httpd_can_network_connect - + httpd_can_network_connect_cobbler - + httpd_can_network_connect_db - + httpd_can_network_memcache - + httpd_can_network_relay - + httpd_can_sendmail - + httpd_dbus_avahi - + httpd_dbus_sssd - + httpd_dontaudit_search_dirs - + httpd_enable_cgi - + httpd_enable_ftp_server - + httpd_enable_homedirs - + httpd_execmem - + httpd_graceful_shutdown - + httpd_manage_ipa - + httpd_mod_auth_ntlm_winbind - + httpd_mod_auth_pam - + httpd_read_user_content - + httpd_run_ipa - + httpd_run_preupgrade - + httpd_run_stickshift - + httpd_serve_cobbler_files - + httpd_setrlimit - + httpd_ssi_exec - + httpd_sys_script_anon_write - + httpd_tmp_exec - + httpd_tty_comm - + httpd_unified - + httpd_use_cifs - + httpd_use_fusefs - + httpd_use_gpg - + httpd_use_nfs - + httpd_use_openstack - + httpd_use_sasl - + httpd_verify_dns - + icecast_use_any_tcp_ports - + irc_use_any_tcp_ports - + irssi_use_full_network - + kdumpgui_run_bootloader - + kerberos_enabled - + ksmtuned_use_cifs - + ksmtuned_use_nfs - + logadm_exec_content - + logging_syslogd_can_sendmail - + logging_syslogd_run_nagios_plugins - + logging_syslogd_use_tty - + login_console_enabled - + logrotate_use_nfs - + logwatch_can_network_connect_mail - + lsmd_plugin_connect_any - + mailman_use_fusefs - + mcelog_client - + mcelog_exec_scripts - + mcelog_foreground - + mcelog_server - + minidlna_read_generic_user_content - + mmap_low_allowed - + mock_enable_homedirs - + mount_anyfile - + mozilla_plugin_bind_unreserved_ports - + mozilla_plugin_can_network_connect - + mozilla_plugin_use_bluejeans - + mozilla_plugin_use_gps - + mozilla_plugin_use_spice - + mozilla_read_content - + mpd_enable_homedirs - + mpd_use_cifs - + mpd_use_nfs - + mplayer_execstack - + mysql_connect_any - + nagios_run_pnp4nagios - + nagios_run_sudo - + named_tcp_bind_http_port - + named_write_master_zones - + neutron_can_network - + nfs_export_all_ro - + nfs_export_all_rw - + nfsd_anon_write - + nis_enabled - + nscd_use_shm - + openshift_use_nfs - + openvpn_can_network_connect - + openvpn_enable_homedirs - + openvpn_run_unconfined - + pcp_bind_all_unreserved_ports - + pcp_read_generic_logs - + piranha_lvs_can_network_connect - + polipo_connect_all_unreserved - + polipo_session_bind_all_unreserved_ports - + polipo_session_users - + polipo_use_cifs - + polipo_use_nfs - + polyinstantiation_enabled - + postfix_local_write_mail_spool - + postgresql_can_rsync - + postgresql_selinux_transmit_client_label - + postgresql_selinux_unconfined_dbadm - + postgresql_selinux_users_ddl - + pppd_can_insmod - + pppd_for_user - + privoxy_connect_any - + prosody_bind_http_port - + puppetagent_manage_all_files - + puppetmaster_use_db - + racoon_read_shadow - + rsync_anon_write - + rsync_client - + rsync_export_all_ro - + rsync_full_access - + samba_create_home_dirs - + samba_domain_controller - + samba_enable_home_dirs - + samba_export_all_ro - + samba_export_all_rw - + samba_load_libgfapi - + samba_portmapper - + samba_run_unconfined - + samba_share_fusefs - + samba_share_nfs - + sanlock_use_fusefs - + sanlock_use_nfs - + sanlock_use_samba - + saslauthd_read_shadow - + secadm_exec_content - + secure_mode - + secure_mode_insmod - + secure_mode_policyload - + selinuxuser_direct_dri_enabled - + selinuxuser_execheap - + selinuxuser_execmod - + selinuxuser_execstack - + selinuxuser_mysql_connect_enabled - + selinuxuser_ping - + selinuxuser_postgresql_connect_enabled - + selinuxuser_rw_noexattrfile - + selinuxuser_share_music - + selinuxuser_tcp_server - + selinuxuser_udp_server - + selinuxuser_use_ssh_chroot - + sge_domain_can_network_connect - + sge_use_nfs - + smartmon_3ware - + smbd_anon_write - + spamassassin_can_network - + spamd_enable_home_dirs - + squid_connect_any - + squid_use_tproxy - + ssh_chroot_rw_homedirs - + ssh_keysign - + ssh_sysadm_login - + staff_exec_content - + staff_use_svirt - + swift_can_network - + sysadm_exec_content - + telepathy_connect_all_ports - + telepathy_tcp_connect_generic_network_ports - + tftp_anon_write - + tftp_home_dir - + tmpreaper_use_nfs - + tmpreaper_use_samba - + tor_bind_all_unreserved_ports - + tor_can_network_relay - + unconfined_chrome_sandbox_transition - + unconfined_login - + unconfined_mozilla_plugin_transition - + unprivuser_use_svirt - + use_ecryptfs_home_dirs - + use_fusefs_home_dirs - + use_lpd_server - + use_nfs_home_dirs - + use_samba_home_dirs - + user_exec_content - + varnishd_connect_any - + virt_read_qemu_ga_data - + virt_rw_qemu_ga_data - + virt_sandbox_use_all_caps - + virt_sandbox_use_audit - + virt_sandbox_use_mknod - + virt_sandbox_use_netlink - + virt_sandbox_use_sys_admin - + virt_transition_userdomain - + virt_use_comm - + virt_use_execmem - + virt_use_fusefs - + virt_use_nfs - + virt_use_rawip - + virt_use_samba - + virt_use_sanlock - + virt_use_usb - + virt_use_xserver - + webadm_manage_user_files - + webadm_read_user_files - + wine_mmap_zero_ignore - + xdm_bind_vnc_tcp_port - + xdm_exec_bootloader - + xdm_sysadm_login - + xdm_write_home - + xen_use_nfs - + xend_run_blktap - + xend_run_qemu - + xguest_connect_network - + xguest_exec_content - + xguest_mount_media - + xguest_use_bluetooth - + xserver_clients_write_xshm - + xserver_execmem - + xserver_object_manager - + zabbix_can_network - + zarafa_setrlimit - + zebra_write_config - + zoneminder_anon_write - + zoneminder_run_sudo - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + auditd.service - + auditd.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + chronyd.service - + chronyd.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + cron.service - + cron.socket - + active - + crond.service - + crond.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + fapolicyd.service - + fapolicyd.socket - + active - + firewalld.service - + firewalld.socket - + active - + inactive|failed - + masked - + ip6tables.service - + ip6tables.socket - + active - + iptables.service - + iptables.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + nails.service - + nails.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + nftables.service - + nftables.socket - + active - + ntp.service - + ntp.socket - + active - + ntpd.service - + ntpd.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + pcscd.service - + pcscd.socket - + active - + inactive|failed - + masked - + postfix.service - + postfix.socket - + active - + psacct.service - + psacct.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + rngd.service - + rngd.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + rsyslog.service - + rsyslog.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + sshd.service - + sshd.socket - + active - + sssd.service - + sssd.socket - + active - + inactive|failed - + masked - + syslog-ng.service - + syslog-ng.socket - + active - + inactive|failed - + masked - + masked - + systemd-journald.service - + systemd-journald.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + ufw.service - + ufw.socket - + active - + usbguard.service - + usbguard.socket - + active - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + inactive|failed - + masked - + masked - + ^no$ - + ^no$ - + ^no$ - + ^no$ - + ^yes$ - + ^no$ - + ^prohibit-password$ - + ^no$ - + ^yes$ - + ^no$ - + ^no$ - + ^yes$ - + ^yes$ - + ^yes$ - + ^yes$ - + ^/etc/issue$ - + ^/etc/issue.net$ - + ^yes$ - + ^yes$ - + ^0$ - + ^INFO$ - + ^VERBOSE$ - + ^32$ - + ^yes$ - + - + - + - + false false false @@ -340222,682 +340238,682 @@ which the system will be deployed as closely as possible.false false - + symbolic link - + 1 - + 1 - + 1 - + 1 - + 0 - + 0 - + |/bin/false - + |/bin/false - + 0 - + 0 - + 1 - + 1 - + 1 - + 1 - + 1 - + 2 - + 1 - + 2 - + 1 - + 1 - + 1 - + 1 - + 1 - + 1 - + 1 - + 1 - + 2 - + 2 - + 65536 - + 65536 - + 2 - + 2 - + 0 - + 0 - + 1 - + 1 - + 1 - + 1 - + 2 - + 2 - + 0 - + 0 - + - + - + - + - + - + - + - + - + 1 - + 1 - + - + - + - + - + 0 - + 0 - + 1 - + 2 - + 1 - + 2 - + - + - + 0 - + 0 - + - + - + - + - + - + - + - + - + - + - + - + - + 0 - + 0 - + - + - + - + - + - + - + 0 - + 0 - + 32768\s*65535 - + 32768\s*65535 - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 1 - + 1 - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 1 - + 1 - + - + - + - + - + 0 - + 0 - + 65536 - + 65536 - + dnf-automatic.timer - + active - + logrotate.timer - + active - + ^(?:.*\s)?audit=1(?:\s.*)?$ - + ^(?:.*\s)?audit=1(?:\s.*)?$ - + ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ - + ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ - + ^(?:.*\s)?page_poison=1(?:\s.*)?$ - + ^(?:.*\s)?page_poison=1(?:\s.*)?$ - + ^(?:.*\s)?slub_debug=P(?:\s.*)?$ - + ^(?:.*\s)?slub_debug=P(?:\s.*)?$ - + ^(?:.*\s)?vsyscall=none(?:\s.*)?$ - + ^(?:.*\s)?vsyscall=none(?:\s.*)?$ - + ^(true|"true")$ - + ^23.*$ - + ^7.*$ - + centos - + 8 - + centos - + 9 - + ol - + ^7.*$ - + ^8.*$ - + ^9.*$ - + openSUSE-release - + unix - + rhcos - + 4 - + 9 - + rhel - + unix - + ^7.*$ - + ^7.*$ - + ^7.*$ - + ^7.*$ - + 7 - + unix - + ^8.*$ - + ^8.0*$ - + ^8.1*$ - + ^8.2*$ - + ^8.3*$ - + ^8.4*$ - + ^8.5*$ - + ^8.6*$ - + ^8.7*$ - + ^8.8*$ - + ^8.9*$ - + ^8.10*$ - + 8 - + unix - + ^9.*$ - + 9 - + 0:4.4 - + ^7.*$ - + unix - + ^12.*$ - + ^12.*$ - + ^12.*$ - + unix - + ^15.*$ - + ^15.*$ - + ^15.*$ - + ^4.*$ - + ^15.*$ - + bwrap-osbuild - + 1 - + 2 - + 0 - + 0:7.4 - + aarch64 - + ppc64 - + ppc64le - + s390x - + i686 - + x86_64 true - + /dev/cdrom - - - - - + + + + + - + ^[\s]*RekeyLimit[\s]+ @@ -340906,14 +340922,14 @@ which the system will be deployed as closely as possible.[\s]*$ - - - + + + - + @@ -340921,19 +340937,19 @@ which the system will be deployed as closely as possible. ^(dmz|external|home|internal|public|trusted|work)\.xml$ - + - + - - - + + + ^ @@ -340942,43 +340958,43 @@ which the system will be deployed as closely as possible.[\s]*$ - - - - - - - - + + + + + + + + - + - - + + - + - - - - - - - - - + + + + + + + + + @@ -340986,7 +341002,7 @@ which the system will be deployed as closely as possible.^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit - + ^\s*password\s+(?: @@ -340999,13 +341015,13 @@ which the system will be deployed as closely as possible. - + ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ - + ^\s*remember\s*=\s*([0-9]+) - + ^\s*password\s+(?: @@ -341017,57 +341033,57 @@ which the system will be deployed as closely as possible. - + ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ - + ^\s*remember\s*=\s*([0-9]+) - + ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*$ - + ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ - + ^\s*remember\s*=\s*([0-9]+) ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit - + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) - + ^[\s]*deny[\s]*=[\s]*([0-9]+) - - + + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root - + ^[\s]*even_deny_root - + dir\s*=\s*(\S+|"[^"]+) @@ -341083,7 +341099,7 @@ which the system will be deployed as closely as possible. - + @@ -341092,7 +341108,7 @@ which the system will be deployed as closely as possible. - + @@ -341101,68 +341117,68 @@ which the system will be deployed as closely as possible. - + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*local_users_only - + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) - + ^[\s]*fail_interval[\s]*=[\s]*([0-9]+) - + ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]+preauth[^\n#]+silent - + ^[\s]*auth\N+pam_unix\.so - + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - + ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) - + ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) - - - + + + - - - - + + + + - + @@ -341170,63 +341186,63 @@ which the system will be deployed as closely as possible. - + - + - + - + - - + + - + - + - - + + - - + + - - - + + + @@ -341237,25 +341253,25 @@ which the system will be deployed as closely as possible.86400 - + - + 5000 - - + + 5000 - + - + - + ^ @@ -341264,60 +341280,60 @@ which the system will be deployed as closely as possible.:[^:]+:[0-9]+:.*$ - - + + - + - + - + - - - + + + - - + + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$ - + - + - + - + - + ^[^#]* @@ -341325,189 +341341,189 @@ which the system will be deployed as closely as possible. - - + + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$ - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + ^(?: :)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$ - + - + - + - + - + - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + - + - + - + - + - + - + 64 @@ -341520,22 +341536,22 @@ which the system will be deployed as closely as possible. - + - + - + - + 64 @@ -341548,22 +341564,22 @@ which the system will be deployed as closely as possible. - + - + - + - + 64 @@ -341604,29 +341620,29 @@ which the system will be deployed as closely as possible. - + ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ - + - + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - + - + - + @@ -341655,91 +341671,91 @@ which the system will be deployed as closely as possible. - - - - + + + + (?i) - - + + (?i) - - - - - - - - - - - - + + + + + + + + + + + + (?i) - - + + - + - + - + - + /boot/config- - + - + - + - + - + - + - + - + - + 64 @@ -341758,44 +341774,44 @@ which the system will be deployed as closely as possible. - - + + - + - + - + - + - + - + - + - + - + - + 64 @@ -341808,114 +341824,114 @@ which the system will be deployed as closely as possible. - + - - - + + + - + - + - + - - - + + + - + - - + + - + - + - + - + Ciphers - + -oCiphers= - + MACs - + -oMACs= - + - - + + / - + - + ^ :x:(\d+):.*$ - - - - - - - - - - - + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ @@ -341988,22 +342004,22 @@ which the system will be deployed as closely as possible. ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - + ^\-w[\s]+ [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ - - + + ^\-w[\s]+ \/var\/log\/lastlog [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ - + ^\-w[\s]+ \/var\/log\/tallylog @@ -343836,948 +343852,948 @@ which the system will be deployed as closely as possible. - + ^\-w[\s]+ \/var\/log\/sudo.log [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ - + - + ^(?:.*\s)?l1tf= (?:\s.*)?$ - - + + ^(?:.*\s)?rng_core.default_quality= (?:\s.*)?$ - - + + ^(?:.*\s)?slub_debug= (?:\s.*)?$ - - + + ^(?:.*\s)?spec_store_bypass_disable= (?:\s.*)?$ - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + + - + - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344785,7 +344801,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344793,7 +344809,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344801,7 +344817,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344809,7 +344825,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344817,7 +344833,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344825,7 +344841,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344833,7 +344849,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344841,7 +344857,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344849,7 +344865,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344857,7 +344873,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344865,7 +344881,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344873,7 +344889,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344881,7 +344897,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344889,7 +344905,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344897,7 +344913,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344905,7 +344921,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344913,7 +344929,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344921,7 +344937,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344929,7 +344945,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344937,7 +344953,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344945,7 +344961,7 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /etc/modprobe.d /etc/modules-load.d /run/modprobe.d @@ -344953,497 +344969,497 @@ which the system will be deployed as closely as possible./usr/lib/modprobe.d /usr/lib/modules-load.d - + /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - - + + /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - + /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - + ^[\s]* [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ - - + + hidepid= - + - + ^/etc/rsyslog.conf$ - + - + - + - + - + ^/etc/rsyslog.conf$ - + - + - + - + - + ^/etc/rsyslog.conf$ - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /etc/pam.d/system-auth - + - + /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 - - - + + + - + - + - + 64 @@ -345456,23 +345472,23 @@ which the system will be deployed as closely as possible. - - + + - + - + - + 64 @@ -345488,13 +345504,13 @@ which the system will be deployed as closely as possible. - + build_shorthand.py from SCAP Security Guide ssg: 0.1.71 2.0 - 2023-11-08T00:06:40 + 2023-11-09T00:08:47 @@ -381104,16 +381120,16 @@ $ rpm -q abrt-addon-ccpp - - + + - combine_ovals.py from SCAP Security Guide + Script combine_ovals.py from SCAP Security Guide ssg: [0, 1, 71], python: 3.10.12 5.11 - 2023-11-08T00:06:20 + 2023-11-09T00:08:34 - + Alibaba Cloud Linux 2 @@ -381127,7 +381143,7 @@ $ rpm -q abrt-addon-ccpp - + Alibaba Cloud Linux 3 @@ -381141,7 +381157,7 @@ $ rpm -q abrt-addon-ccpp - + Anolis OS 8 @@ -381155,7 +381171,7 @@ $ rpm -q abrt-addon-ccpp - + Debian Linux 10 @@ -381169,7 +381185,7 @@ $ rpm -q abrt-addon-ccpp - + Debian Linux 11 @@ -381183,7 +381199,7 @@ $ rpm -q abrt-addon-ccpp - + Debian Linux 12 @@ -381197,7 +381213,7 @@ $ rpm -q abrt-addon-ccpp - + openSUSE Leap 15 @@ -381211,7 +381227,7 @@ $ rpm -q abrt-addon-ccpp - + openSUSE Leap 42 @@ -381227,7 +381243,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu 22.04 LTS @@ -381241,7 +381257,7 @@ $ rpm -q abrt-addon-ccpp - + UnionTech OS Server 20 @@ -381255,7 +381271,7 @@ $ rpm -q abrt-addon-ccpp - + Red Hat Virtualization 4 @@ -381265,42 +381281,42 @@ $ rpm -q abrt-addon-ccpp The application installed installed on the system is Red Hat Virtualization 4. - + - + Package grub2 is installed Red Hat Enterprise Linux 8 - Checks if package grub2-common is installed. + Checks if package grub2-common is installed. - - + + - + Package providing /etc/login.defs is installed Red Hat Enterprise Linux 8 - Checks if package providing /etc/login.defs and is installed. + Checks if package providing /etc/login.defs and is installed. - + - + Check if the system doesn't act as an oVirt host or manager @@ -381308,78 +381324,78 @@ $ rpm -q abrt-addon-ccpp Check if the system has neither ovirt-host nor ovirt-engine installed. - - + + - + Check if the system acts as an oVirt host or manager Red Hat Enterprise Linux 8 - Check if the system has ovirt-host or ovirt-engine installed + Check if the system has ovirt-host or ovirt-engine installed - + WiFi interface is present Red Hat Enterprise Linux 8 - Checks if any wifi interface is present. + Checks if any wifi interface is present. - + - + Check if the scan target is a container Red Hat Enterprise Linux 8 - Check for presence of files characterizing container filesystems. + Check for presence of files characterizing container filesystems. - + Check if the scan target is a machine Red Hat Enterprise Linux 8 - Check for absence of files characterizing container filesystems. + Check for absence of files characterizing container filesystems. - - + + - + System runs on UEK kernel Red Hat Enterprise Linux 8 - Check if System is running on UEK kernel. + Check if System is running on UEK kernel. - + Kerberos server is older than 1.17-18 @@ -381393,7 +381409,7 @@ $ rpm -q abrt-addon-ccpp - + Kerberos workstation is older than 1.17-18 @@ -381407,7 +381423,7 @@ $ rpm -q abrt-addon-ccpp - + Test that the architecture is aarch64 @@ -381415,11 +381431,11 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64 - + - + Test for different architecture than aarch64 @@ -381427,11 +381443,11 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64 - - + + - + Test for different architecture than s390x @@ -381439,11 +381455,11 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x - - + + - + Test that the architecture is ppc64le @@ -381451,11 +381467,11 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le - + - + Test that the architecture is s390x @@ -381463,90 +381479,90 @@ $ rpm -q abrt-addon-ccpp Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x - + - + Running kernel has fips mode enabled Red Hat Enterprise Linux 8 - Check if sysctl crypto.fips_enabled = 1 + Check if sysctl crypto.fips_enabled = 1 - - + + - + Secure Boot status check Red Hat Enterprise Linux 8 - Check if System has Secure Boot enabled. + Check if System has Secure Boot enabled. - + - + SELinux status check Red Hat Enterprise Linux 8 - Check if System has SELinux enabled. + Check if System has SELinux enabled. - + SSSD is configured to use LDAP Red Hat Enterprise Linux 8 - Identification provider is not set to ad within /etc/sssd/sssd.conf + Identification provider is not set to ad within /etc/sssd/sssd.conf - - + + - + Non-UEFI system boot mode check Red Hat Enterprise Linux 8 - Check if System boot mode is non-UEFI. + Check if System boot mode is non-UEFI. - - + + - + UEFI system boot mode check Red Hat Enterprise Linux 8 - Check if system boot mode is UEFI. + Check if system boot mode is UEFI. - - + + - + Anolis OS 23 @@ -381560,7 +381576,7 @@ $ rpm -q abrt-addon-ccpp - + CentOS 7 @@ -381575,7 +381591,7 @@ $ rpm -q abrt-addon-ccpp - + CentOS 8 @@ -381591,7 +381607,7 @@ $ rpm -q abrt-addon-ccpp - + CentOS Stream 9 @@ -381607,7 +381623,7 @@ $ rpm -q abrt-addon-ccpp - + Debian @@ -381620,7 +381636,7 @@ $ rpm -q abrt-addon-ccpp - + Installed operating system is Fedora @@ -381639,7 +381655,7 @@ $ rpm -q abrt-addon-ccpp - + @@ -381651,7 +381667,7 @@ $ rpm -q abrt-addon-ccpp - + Oracle Linux 7 @@ -381661,14 +381677,14 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Oracle Linux 7 - + - + Oracle Linux 8 @@ -381678,14 +381694,14 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Oracle Linux 8 - + - + Oracle Linux 9 @@ -381695,14 +381711,14 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Oracle Linux 9 - + - + OpenEmbedded @@ -381716,7 +381732,7 @@ $ rpm -q abrt-addon-ccpp - + openSUSE @@ -381729,7 +381745,7 @@ $ rpm -q abrt-addon-ccpp - + Installed operating system is part of the Unix family @@ -381737,11 +381753,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is part of the Unix OS family - + - + Poky @@ -381755,7 +381771,7 @@ $ rpm -q abrt-addon-ccpp - + Red Hat Enterprise Linux CoreOS @@ -381765,14 +381781,14 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux CoreOS release 4 - + - + Red Hat Enterprise Linux CoreOS RHEL9 Based @@ -381782,11 +381798,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux CoreOS RHEL9 Based - + - + @@ -381798,7 +381814,7 @@ $ rpm -q abrt-addon-ccpp - + Red Hat Enterprise Linux 7 @@ -381808,21 +381824,21 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 7 - + - + - + Red Hat Enterprise Linux 8 @@ -381832,18 +381848,18 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8 - + - + - + Red Hat Enterprise Linux 8.0 @@ -381852,11 +381868,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.0 - + - + Red Hat Enterprise Linux 8.1 @@ -381865,11 +381881,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.1 - + - + Red Hat Enterprise Linux 8.2 @@ -381878,11 +381894,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.2 - + - + Red Hat Enterprise Linux 8.3 @@ -381891,11 +381907,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.3 - + - + Red Hat Enterprise Linux 8.4 @@ -381904,11 +381920,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.4 - + - + Red Hat Enterprise Linux 8.5 @@ -381917,11 +381933,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.5 - + - + Red Hat Enterprise Linux 8.6 @@ -381930,11 +381946,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.6 - + - + Red Hat Enterprise Linux 8.7 @@ -381943,11 +381959,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.7 - + - + Red Hat Enterprise Linux 8.8 @@ -381956,11 +381972,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.8 - + - + Red Hat Enterprise Linux 8.9 @@ -381969,11 +381985,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.9 - + - + Red Hat Enterprise Linux 8.10 @@ -381982,11 +381998,11 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 8.10 - + - + Red Hat Enterprise Linux 9 @@ -381996,18 +382012,18 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is Red Hat Enterprise Linux 9 - + - + - + Red Hat Virtualization 4 @@ -382022,7 +382038,7 @@ $ rpm -q abrt-addon-ccpp - + Scientific Linux 7 @@ -382037,7 +382053,7 @@ $ rpm -q abrt-addon-ccpp - + SUSE Linux Enterprise 12 @@ -382048,7 +382064,7 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is SUSE Linux Enterprise 12. - + @@ -382057,7 +382073,7 @@ $ rpm -q abrt-addon-ccpp - + SUSE Linux Enterprise 15 @@ -382068,7 +382084,7 @@ $ rpm -q abrt-addon-ccpp The operating system installed on the system is SUSE Linux Enterprise 15. - + @@ -382079,7 +382095,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu @@ -382093,7 +382109,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu 16.04 LTS @@ -382107,7 +382123,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu 18.04 LTS @@ -382121,7 +382137,7 @@ $ rpm -q abrt-addon-ccpp - + Ubuntu 20.04 LTS @@ -382135,33 +382151,33 @@ $ rpm -q abrt-addon-ccpp - + System uses zIPL Red Hat Enterprise Linux 8 - Checks if system uses zIPL bootloader. + Checks if system uses zIPL bootloader. - + - + Check if the environment is a OSBuild pipeline Red Hat Enterprise Linux 8 - Check the value of environment variable container. + Check the value of environment variable container. - + - + IPv6 is enabled on system @@ -382170,11 +382186,11 @@ $ rpm -q abrt-addon-ccpp - - + + - + Mountpoint /home is active (mounted) or configured in /etc/fstab @@ -382183,15 +382199,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /opt is active (mounted) or configured in /etc/fstab @@ -382200,15 +382216,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /srv is active (mounted) or configured in /etc/fstab @@ -382217,15 +382233,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /tmp is active (mounted) or configured in /etc/fstab @@ -382234,15 +382250,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /var/log/audit is active (mounted) or configured in /etc/fstab @@ -382251,15 +382267,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /var/log is active (mounted) or configured in /etc/fstab @@ -382268,15 +382284,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /var/tmp is active (mounted) or configured in /etc/fstab @@ -382285,15 +382301,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Mountpoint /var is active (mounted) or configured in /etc/fstab @@ -382302,15 +382318,15 @@ $ rpm -q abrt-addon-ccpp - + - + - + Operating System is ol @@ -382323,7 +382339,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is ol @@ -382336,7 +382352,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382349,7 +382365,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382362,7 +382378,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382375,7 +382391,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382388,7 +382404,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382401,7 +382417,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382414,7 +382430,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382427,7 +382443,7 @@ $ rpm -q abrt-addon-ccpp - + Operating System is rhel @@ -382440,7 +382456,7 @@ $ rpm -q abrt-addon-ccpp - + Package audit is installed @@ -382448,11 +382464,11 @@ $ rpm -q abrt-addon-ccpp The RPM package audit should be installed. - + - + Package bash is installed @@ -382460,11 +382476,11 @@ $ rpm -q abrt-addon-ccpp The RPM package bash should be installed. - + - + Package chrony is installed @@ -382472,11 +382488,11 @@ $ rpm -q abrt-addon-ccpp The RPM package chrony should be installed. - + - + Package firewalld is installed @@ -382484,11 +382500,11 @@ $ rpm -q abrt-addon-ccpp The RPM package firewalld should be installed. - + - + Package gdm is installed @@ -382496,11 +382512,11 @@ $ rpm -q abrt-addon-ccpp The RPM package gdm should be installed. - + - + Package iptables is installed @@ -382508,11 +382524,11 @@ $ rpm -q abrt-addon-ccpp The RPM package iptables should be installed. - + - + Package libuser is installed @@ -382520,11 +382536,11 @@ $ rpm -q abrt-addon-ccpp The RPM package libuser should be installed. - + - + Package logrotate is installed @@ -382532,11 +382548,11 @@ $ rpm -q abrt-addon-ccpp The RPM package logrotate should be installed. - + - + Package net-snmp is installed @@ -382544,11 +382560,11 @@ $ rpm -q abrt-addon-ccpp The RPM package net-snmp should be installed. - + - + Package nftables is installed @@ -382556,11 +382572,11 @@ $ rpm -q abrt-addon-ccpp The RPM package nftables should be installed. - + - + Package nss-pam-ldapd is installed @@ -382568,11 +382584,11 @@ $ rpm -q abrt-addon-ccpp The RPM package nss-pam-ldapd should be installed. - + - + Package ntp is installed @@ -382580,11 +382596,11 @@ $ rpm -q abrt-addon-ccpp The RPM package ntp should be installed. - + - + Package pam is installed @@ -382592,11 +382608,11 @@ $ rpm -q abrt-addon-ccpp The RPM package pam should be installed. - + - + Package polkit is installed @@ -382604,11 +382620,11 @@ $ rpm -q abrt-addon-ccpp The RPM package polkit should be installed. - + - + Package postfix is installed @@ -382616,11 +382632,11 @@ $ rpm -q abrt-addon-ccpp The RPM package postfix should be installed. - + - + Package rsh-server is installed @@ -382628,11 +382644,11 @@ $ rpm -q abrt-addon-ccpp The RPM package rsh-server should be installed. - + - + Package shadow-utils is installed @@ -382640,11 +382656,11 @@ $ rpm -q abrt-addon-ccpp The RPM package shadow-utils should be installed. - + - + Package sssd-common is installed @@ -382652,11 +382668,11 @@ $ rpm -q abrt-addon-ccpp The RPM package sssd-common should be installed. - + - + Package sudo is installed @@ -382664,11 +382680,11 @@ $ rpm -q abrt-addon-ccpp The RPM package sudo should be installed. - + - + Package systemd is installed @@ -382676,11 +382692,11 @@ $ rpm -q abrt-addon-ccpp The RPM package systemd should be installed. - + - + Package tftp-server is installed @@ -382688,11 +382704,11 @@ $ rpm -q abrt-addon-ccpp The RPM package tftp-server should be installed. - + - + Package tmux is installed @@ -382700,11 +382716,11 @@ $ rpm -q abrt-addon-ccpp The RPM package tmux should be installed. - + - + Package ufw is installed @@ -382712,11 +382728,11 @@ $ rpm -q abrt-addon-ccpp The RPM package ufw should be installed. - + - + Package usbguard is installed @@ -382724,11 +382740,11 @@ $ rpm -q abrt-addon-ccpp The RPM package usbguard should be installed. - + - + Package yum is installed @@ -382736,11 +382752,11 @@ $ rpm -q abrt-addon-ccpp The RPM package yum should be installed. - + - + The firewalld is disabled on the system @@ -382750,7 +382766,7 @@ $ rpm -q abrt-addon-ccpp - + @@ -382758,582 +382774,582 @@ $ rpm -q abrt-addon-ccpp - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -383394,13 +383410,13 @@ $ rpm -q abrt-addon-ccpp ovirt-engine - + /proc/net/wireless - + /.dockerenv - + /run/.containerenv @@ -383442,7 +383458,7 @@ $ rpm -q abrt-addon-ccpp ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$ 1 - + /sys/firmware/efi @@ -383472,7 +383488,7 @@ $ rpm -q abrt-addon-ccpp ^VERSION_ID="(\d)"$ 1 - + /etc/debian_version @@ -383497,7 +383513,7 @@ $ rpm -q abrt-addon-ccpp oraclelinux-release - + /etc/os-release @@ -383509,7 +383525,7 @@ $ rpm -q abrt-addon-ccpp openSUSE-release - + /etc/os-release @@ -383638,7 +383654,7 @@ $ rpm -q abrt-addon-ccpp SLE_HPC-release - + /etc/lsb-release @@ -383668,7 +383684,7 @@ $ rpm -q abrt-addon-ccpp container - + /etc/default/grub ^\s*GRUB_CMDLINE_LINUX=".*ipv6\.disable=(\d).*$ @@ -383913,11 +383929,11 @@ $ rpm -q abrt-addon-ccpp yum - + ^firewalld\.(service|socket)$ ActiveState - + ^firewalld\.(service|socket)$ LoadState @@ -383926,280 +383942,280 @@ $ rpm -q abrt-addon-ccpp - + ^2.*$ - + ^3.*$ - + ^8.*$ - + ^15.*$ - + ^42.*$ - + ^20.*$ - + ^4.*$ - + ^.*uek.* - + 0:1.17-18 - + 0:1.17-18 - + ^aarch64$ - + ^ppc64le$ - + ^s390x$ - + 1 - + b401b4bd7e4f321db95fcae00d274ab8aa2cf1852d1495c382356d981f63d771 - + ^(enforcing|permissive)$ - + ^23.*$ - + ^7.*$ - + centos - + 8 - + centos - + 9 - + ol - + ^7.*$ - + ^8.*$ - + ^9.*$ - + openSUSE-release - + unix - + rhcos - + 4 - + 9 - + rhel - + unix - + ^7.*$ - + ^7.*$ - + ^7.*$ - + ^7.*$ - + 7 - + unix - + ^8.*$ - + ^8.0*$ - + ^8.1*$ - + ^8.2*$ - + ^8.3*$ - + ^8.4*$ - + ^8.5*$ - + ^8.6*$ - + ^8.7*$ - + ^8.8*$ - + ^8.9*$ - + ^8.10*$ - + 8 - + unix - + ^9.*$ - + 9 - + 0:4.4 - + ^7.*$ - + unix - + ^12.*$ - + ^12.*$ - + ^12.*$ - + unix - + ^15.*$ - + ^15.*$ - + ^15.*$ - + ^4.*$ - + ^15.*$ - + bwrap-osbuild - + ppc64le - + 0 - + ol - + 8.7 - + ol - + 9.0 - + rhel - + 8.2 - + rhel - + 8.7 - + rhel - + 9 - + rhel - + 9.0 - + rhel - + 8.3 - + rhel - + 8.4 - + rhel - + 8.5 - + rhel - + 9.0 - + inactive|failed - + masked diff --git a/ssg-rhel8-guide-stig.html b/ssg-rhel8-guide-stig.html index bc2ba01..ee4f213 100644 --- a/ssg-rhel8-guide-stig.html +++ b/ssg-rhel8-guide-stig.html @@ -64,15 +64,15 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for Red Hat Enterprise Linux 8
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.10
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8

Revision History

Current version: 0.1.71

  • draft - (as of 2023-11-08) + (as of 2023-11-09)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. Base Services
    2. Application Whitelisting Daemon
    3. FTP Server
    4. Kerberos
    5. Mail Server Software
    6. NFS and RPC
    7. Network Time Protocol
    8. Obsolete Services
    9. Hardware RNG Entropy Gatherer Daemon
    10. SSH Server
    11. System Security Services Daemon
    12. USBGuard daemon
    13. X Window System

Checklist

Group   Guide to the Secure Configuration of Red Hat Enterprise Linux 8 -   Group contains 106 groups and 403 rules
Group   +   Group contains 106 groups and 410 rules
Group   System Settings -   Group contains 78 groups and 344 rules

[ref]   +   Group contains 78 groups and 351 rules

[ref]   Contains rules that check correct system settings.

Group   Installing and Maintaining Software -   Group contains 17 groups and 67 rules

[ref]   +   Group contains 17 groups and 68 rules

[ref]   The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software @@ -103,17 +103,17 @@ files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and then again after any software update. AIDE is highly configurable, with further configuration -information located in /usr/share/doc/aide-VERSION.

Rule   +information located in /usr/share/doc/aide-VERSION.

Rule   Install AIDE   [ref]

The aide package can be installed with the following command: 

 $ sudo yum install aide

Rationale:

The AIDE package must be installed if it is to be available for integrity checking.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80844-4

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule

Remediation script:   (show)

Remediation script:   (show)


 [[packages]]
 name = "aide"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "aide" ; then
@@ -123,14 +123,14 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_aide
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_aide
 
 class install_aide {
   package { 'aide':
     ensure => 'installed',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure aide is installed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,9 +148,9 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

 package --add=aide
-

Rule   +

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -172,7 +172,7 @@ If this check produces any unexpected output, investigate.

Rationale:

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80675-2

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r880730_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "aide" ; then
@@ -185,7 +185,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -265,7 +265,7 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   +

Rule   Configure AIDE to Verify the Audit Tools   [ref]

The operating system file integrity tool must be configured to protect the integrity of the audit tools.

Rationale:

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit @@ -287,7 +287,7 @@ manipulated, or replaced. An example is a checksum hash of the file or files.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-85964-5

References:  - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r880722_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "aide" ; then
@@ -348,7 +348,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure aide is installed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure aide is installed
   package:
     name: '{{ item }}'
     state: present
@@ -426,7 +426,7 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   +

Rule   Configure Notification of Post-AIDE Scan Details   [ref]

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the @@ -445,7 +445,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-82891-3

References:  - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r902716_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "aide" ; then
@@ -474,7 +474,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -520,7 +520,7 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   +

Rule   Configure AIDE to Verify Access Control Lists (ACLs)   [ref]

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl @@ -534,7 +534,7 @@ /etc/aide.conf

Rationale:

ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

Severity: 
low
Identifiers and References

Identifiers:  CCE-84220-3

References:  - BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040310, SV-230552r880724_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "aide" ; then
@@ -564,7 +564,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather list of packages
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather list of packages
   package_facts:
     manager: auto
   when:
@@ -625,7 +625,7 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   +

Rule   Configure AIDE to Verify Extended Attributes   [ref]

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs @@ -639,7 +639,7 @@ /etc/aide.conf

Rationale:

Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

Severity: 
low
Identifiers and References

Identifiers:  CCE-83733-6

References:  - BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040300, SV-230551r627750_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "aide" ; then
@@ -669,7 +669,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather list of packages
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather list of packages
   package_facts:
     manager: auto
   when:
@@ -730,7 +730,7 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   +

Rule   Audit Tools Must Be Group-owned by Root   [ref]

Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. @@ -739,7 +739,7 @@ Audit tools must have the correct group owner.

Rationale:

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86239-1

References:  - CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030640, SV-230474r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+            CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030640, SV-230474r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 chgrp 0 /sbin/auditctl
@@ -753,7 +753,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
   stat:
     path: /sbin/auditctl
   register: file_exists
@@ -990,7 +990,7 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

Rule   +

Rule   Audit Tools Must Be Owned by Root   [ref]

Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. @@ -999,7 +999,7 @@ Audit tools must have the correct owner.

Rationale:

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86259-9

References:  - CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030630, SV-230473r744008_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+            CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030630, SV-230473r744008_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 chown 0 /sbin/auditctl
@@ -1013,7 +1013,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
   stat:
     path: /sbin/auditctl
   register: file_exists
@@ -1250,7 +1250,7 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-

Rule   +

Rule   Audit Tools Must Have a Mode of 0755 or Less Permissive   [ref]

Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. @@ -1259,7 +1259,7 @@ Audit tools must have a mode of 0755 or less permissive.

Rationale:

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86227-6

References:  - CCI-001493, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030620, SV-230472r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
+            CCI-001493, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030620, SV-230472r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 chmod u-s,g-ws,o-wt /sbin/auditctl
@@ -1279,7 +1279,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Test for existence /sbin/auditctl
   stat:
     path: /sbin/auditctl
   register: file_exists
@@ -1529,7 +1529,7 @@
 utilize authentication that meets industry and government requirements. For government systems, this allows
 Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 8.
 


-See http://csrc.nist.gov/publications/PubsFIPS.html for more information.

Rule   +See http://csrc.nist.gov/publications/PubsFIPS.html for more information.

Rule   Enable Dracut FIPS Module   [ref]

To enable FIPS mode, run the following command: 

fips-mode-setup --enable
@@ -1553,7 +1553,7 @@ standards approved by the federal government since this provides assurance they have been tested and validated.

Severity: 
high
Identifiers and References

Identifiers:  CCE-82155-3

References:  - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, RHEL-08-010020, SV-230223r928585_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then
 
 fips-mode-setup --enable
@@ -1565,7 +1565,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:true
Strategy:restrict
- name: Check to see the current status of FIPS mode
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:true
Strategy:restrict
- name: Check to see the current status of FIPS mode
   command: /usr/bin/fips-mode-setup --check
   register: is_fips_enabled
   changed_when: false
@@ -1631,7 +1631,7 @@
   - medium_disruption
   - reboot_required
   - restrict_strategy
-

Rule   +

Rule   Enable FIPS Mode   [ref]

To enable FIPS mode, run the following command: @@ -1649,7 +1649,7 @@ standards approved by the federal government since this provides assurance they have been tested and validated.

Severity: 
high
Identifiers and References

Identifiers:  CCE-80942-6

References:  - CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, RHEL-08-010020, SV-230223r928585_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 var_system_crypto_policy='FIPS'
@@ -1675,7 +1675,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:true
Strategy:restrict
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:true
Strategy:restrict
- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str FIPS
   tags:
@@ -1781,7 +1781,7 @@
   - medium_disruption
   - reboot_required
   - restrict_strategy
-

Rule   +

Rule   Set kernel parameter 'crypto.fips_enabled' to 1   [ref]

System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. @@ -1824,7 +1824,7 @@ Currently the supported backends are:

  • GnuTLS library
  • OpenSSL library
  • NSS library
  • OpenJDK
  • Libkrb5
  • BIND
  • OpenSSH
Applications and languages which rely on any of these backends will follow the -system policies as well. Examples are apache httpd, nginx, php, and others.

Rule   +system policies as well. Examples are apache httpd, nginx, php, and others.

Rule   Configure BIND to use System Crypto Policy   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be @@ -1837,7 +1837,7 @@ include "/etc/crypto-policies/back-ends/bind.config";

Rationale:

Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented.

Severity: 
high
Identifiers and References

Identifiers:  CCE-80934-3

References:  - CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190, RHEL-08-010020, SV-230223r928585_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 function remediate_bind_crypto_policy() {
 	CONFIG_FILE="/etc/named.conf"
 	if test -f "$CONFIG_FILE"; then
@@ -1850,7 +1850,7 @@
 }
 
 remediate_bind_crypto_policy
-

Rule   +

Rule   Configure System Cryptography Policy   [ref]

To configure the system cryptography policy to use ciphers only from the FIPS policy, run the following command: @@ -1877,7 +1877,7 @@ the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Severity: 
high
Identifiers and References

Identifiers:  CCE-80935-0

References:  - 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r928585_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 var_system_crypto_policy='FIPS'
 
 
@@ -1895,7 +1895,7 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
 	false  # end with an error code
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_system_crypto_policy # promote to variable
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str FIPS
   tags:
@@ -1942,7 +1942,7 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
+
Remediation script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 spec:
@@ -1962,7 +1962,7 @@
             RemainAfterExit=yes
             [Install]
             WantedBy=multi-user.target
-

Rule   +

Rule   Configure GnuTLS library to use DoD-approved TLS Encryption   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. GnuTLS is supported by system crypto policy, but the GnuTLS configuration may be @@ -1975,7 +1975,7 @@ library violate expectations, and makes system configuration more fragmented.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-84254-2

References:  - CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187, RHEL-08-010295, SV-230256r877394_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict

+            CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187, RHEL-08-010295, SV-230256r877394_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict

 CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config
 correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
 
@@ -1997,7 +1997,7 @@
         echo ${correct_value} >> ${CONF_FILE}
     fi
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact'
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact'
   set_fact:
     path: /etc/crypto-policies/back-ends/gnutls.config
     correct_value: +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
@@ -2078,7 +2078,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-

Rule   +

Rule   Configure Kerberos to use System Crypto Policy   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be @@ -2088,10 +2088,10 @@ If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.

Rationale:

Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.

Severity: 
high
Identifiers and References

Identifiers:  CCE-80936-8

References:  - 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r928585_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:configure

+            0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r928585_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:configure

 rm -f /etc/krb5.conf.d/crypto-policies
 ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:configure
- name: Configure Kerberos to use System Crypto Policy
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:configure
- name: Configure Kerberos to use System Crypto Policy
   file:
     src: /etc/crypto-policies/back-ends/krb5.config
     path: /etc/krb5.conf.d/crypto-policies
@@ -2108,7 +2108,7 @@
   - low_complexity
   - low_disruption
   - reboot_required
-

Rule   +

Rule   Configure Libreswan to use System Crypto Policy   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be @@ -2122,7 +2122,7 @@ service violate expectations, and makes system configuration more fragmented.

Severity: 
high
Identifiers and References

Identifiers:  CCE-80937-6

References:  - CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, 2.2, SRG-OS-000033-GPOS-00014, RHEL-08-010020, SV-230223r928585_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 function remediate_libreswan_crypto_policy() {
     CONFIG_FILE="/etc/ipsec.conf"
     if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then
@@ -2133,7 +2133,7 @@
 }
 
 remediate_libreswan_crypto_policy
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Configure Libreswan to use System Crypto Policy
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Configure Libreswan to use System Crypto Policy
   lineinfile:
     path: /etc/ipsec.conf
     line: include /etc/crypto-policies/back-ends/libreswan.config
@@ -2154,7 +2154,7 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-

Rule   +

Rule   Configure OpenSSL library to use System Crypto Policy   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be @@ -2165,7 +2165,7 @@ if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.

Rationale:

Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80938-4

References:  - CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010293, SV-230254r877394_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
 OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
 
@@ -2195,7 +2195,7 @@
 }
 
 remediate_openssl_crypto_policy
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
     Section
   ansible.builtin.find:
     paths: /etc/pki/tls
@@ -2303,7 +2303,7 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   +

Rule   Configure OpenSSL library to use TLS Encryption   [ref]

Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to @@ -2334,7 +2334,7 @@ Crypto Policy that satisfies OpenSSL minimum TLS protocol version 1.2. Custom policies may be applied too.

Rationale:

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-84255-9

References:  - CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010294, SV-230255r877394_rule

Rule   + CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010294, SV-230255r877394_rule

Rule   Configure SSH to use System Crypto Policy   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be @@ -2344,11 +2344,11 @@ in the /etc/sysconfig/sshd.

Rationale:

Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80939-2

References:  - CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r877394_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 SSH_CONF="/etc/sysconfig/sshd"
 
 sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Configure SSH to use System Crypto Policy
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Configure SSH to use System Crypto Policy
   lineinfile:
     dest: /etc/sysconfig/sshd
     state: absent
@@ -2369,7 +2369,7 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-

Rule   +

Rule   Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be @@ -2401,7 +2401,7 @@ weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.

Severity: 
high
Identifiers and References

Identifiers:  CCE-85902-5

References:  - CCI-000068, CCI-000877, CCI-001453, CCI-002418, CCI-002890, CCI-003123, AC-17(2), SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, RHEL-08-010020, SV-230223r928585_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 sshd_approved_ciphers='aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
 
 
@@ -2419,7 +2419,7 @@
 printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config"
 # Clean up after ourselves.
 rm "/etc/crypto-policies/back-ends/openssh.config.bak"
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_ciphers # promote to variable
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_ciphers # promote to variable
   set_fact:
     sshd_approved_ciphers: !!str aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
   tags:
@@ -2463,7 +2463,7 @@
   - low_disruption
   - reboot_required
   - restrict_strategy
-

Rule   +

Rule   Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be @@ -2495,7 +2495,7 @@ weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-85897-7

References:  - CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010291, SV-230252r917873_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 sshd_approved_ciphers='aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'
 
 
@@ -2526,7 +2526,7 @@
         echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
     fi
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_ciphers # promote to variable
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_ciphers # promote to variable
   set_fact:
     sshd_approved_ciphers: !!str aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
   tags:
@@ -2613,7 +2613,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-

Rule   +

Rule   Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be @@ -2643,7 +2643,7 @@ client violate expectations, and makes system configuration more fragmented.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-85870-4

References:  - CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010020, SV-230223r928585_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 sshd_approved_macs='hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com'
 
 
@@ -2661,7 +2661,7 @@
 printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config"
 # Clean up after ourselves.
 rm "/etc/crypto-policies/back-ends/openssh.config.bak"
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_macs # promote to variable
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_macs # promote to variable
   set_fact:
     sshd_approved_macs: !!str hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
   tags:
@@ -2705,7 +2705,7 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-

Rule   +

Rule   Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config   [ref]

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be @@ -2735,7 +2735,7 @@ server violate expectations, and makes system configuration more fragmented.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-85899-3

References:  - CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010290, SV-230251r917870_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 sshd_approved_macs='hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com'
 
 
@@ -2766,7 +2766,7 @@
         echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
     fi
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_macs # promote to variable
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:true
Strategy:restrict
- name: XCCDF Value sshd_approved_macs # promote to variable
   set_fact:
     sshd_approved_macs: !!str hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
   tags:
@@ -2861,7 +2861,7 @@
 security over the life of the product. A certified product that follows the
 necessary standards and government certification requirements guarantees that
 known software vulnerabilities will be remediated, and proper guidance for
-protecting and securing the operating system will be given.

Rule   +protecting and securing the operating system will be given.

Rule   The Installed Operating System Is Vendor Supported   [ref]

The installed operating system must be maintained by a vendor. @@ -2888,7 +2888,7 @@ McAfee Endpoint Security for Linux (ENSL)   Group contains 2 rules

[ref]   McAfee Endpoint Security for Linux (ENSL) is a suite of software applications -used to monitor, detect, and defend computer networks and systems.

Rule   +used to monitor, detect, and defend computer networks and systems.

Rule   Install McAfee Endpoint Security for Linux (ENSL)   [ref]

Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the @@ -2901,7 +2901,7 @@ automated remediation is not available for this configuration check.

Rationale:

Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86260-7

References:  - CCI-001263, CCI-000366, SI-2(2), SRG-OS-000191-GPOS-00080, RHEL-08-010001, SV-245540r754730_rule

Rule   + CCI-001263, CCI-000366, SI-2(2), SRG-OS-000191-GPOS-00080, RHEL-08-010001, SV-245540r754730_rule

Rule   Ensure McAfee Endpoint Security for Linux (ENSL) is running   [ref]

Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the @@ -2934,7 +2934,7 @@ listed above. The Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ -for more detailed information on LVM.

Rule   +for more detailed information on LVM.

Rule   Encrypt Partitions   [ref]

Red Hat Enterprise Linux 8 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to @@ -2969,7 +2969,7 @@ laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Severity: 
high
Identifiers and References

Identifiers:  CCE-80789-1

References:  - 13, 14, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), SR 3.4, SR 4.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, RHEL-08-010030, SV-230224r917864_rule

Rule   + 13, 14, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), SR 3.4, SR 4.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, RHEL-08-010030, SV-230224r917864_rule

Rule   Ensure /home Located On Separate Partition   [ref]

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If @@ -2979,13 +2979,13 @@ setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

Severity: 
low
Identifiers and References

Identifiers:  CCE-81044-0

References:  - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r902723_rule

Remediation script:   (show)

Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/home"
 size = 1073741824
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

 part /home
-

Rule   +

Rule   Ensure /tmp Located On Separate Partition   [ref]

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or @@ -2993,13 +2993,13 @@ Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Severity: 
low
Identifiers and References

Identifiers:  CCE-80851-9

References:  - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule

Remediation script:   (show)

Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/tmp"
 size = 1073741824
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

 part /tmp
-

Rule   +

Rule   Ensure /var Located On Separate Partition   [ref]

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition @@ -3009,13 +3009,13 @@ It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

Severity: 
low
Identifiers and References

Identifiers:  CCE-80852-7

References:  - BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010540, 1.1.3.1, SV-230292r902718_rule

Remediation script:   (show)

Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/var"
 size = 3221225472
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

 part /var
-

Rule   +

Rule   Ensure /var/log Located On Separate Partition   [ref]

System logs are stored in the /var/log directory. @@ -3024,13 +3024,13 @@ enables better separation between log files and other files in /var/.

Severity: 
low
Identifiers and References

Identifiers:  CCE-80853-5

References:  - BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, 1.1.5.1, SV-230293r902720_rule

Remediation script:   (show)

Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/var/log"
 size = 5368709120
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

 part /var/log
-

Rule   +

Rule   Ensure /var/log/audit Located On Separate Partition   [ref]

Audit logs are stored in the /var/log/audit directory. @@ -3043,13 +3043,13 @@ auditing cannot be halted due to the partition running out of space.

Severity: 
low
Identifiers and References

Identifiers:  CCE-80854-3

References:  - BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-APP-000357-CTR-000800, RHEL-08-010542, 1.1.6.1, SV-230294r627750_rule

Remediation script:   (show)

Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/var/log/audit"
 size = 10737418240
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

 part /var/log/audit
-

Rule   +

Rule   Ensure /var/tmp Located On Separate Partition   [ref]

The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or @@ -3057,15 +3057,15 @@ Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-82730-3

References:  - BP28(R12), SRG-OS-000480-GPOS-00227, RHEL-08-010544, 1.1.4.1, SV-244529r902737_rule

Remediation script:   (show)

Remediation script:   (show)


 [[customizations.filesystem]]
 mountpoint = "/var/tmp"
 size = 1073741824
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

 part /var/tmp
Group   GNOME Desktop Environment -   Group contains 3 groups and 9 rules

[ref]   +   Group contains 3 groups and 10 rules

[ref]   GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user @@ -3086,7 +3086,7 @@

For more information about enforcing preferences in the GNOME3 environment using the DConf -configuration system, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/> and the man page dconf(1).

Rule   +configuration system, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/> and the man page dconf(1).

Rule   Disable the GNOME3 Login User List   [ref]

In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. @@ -3105,7 +3105,7 @@ with physical access to the system to quickly enumerate known user accounts without logging in.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86195-5

References:  - CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-08-020032, 1.8.3, SV-244536r743857_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+            CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-08-020032, 1.8.3, SV-244536r743857_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Check for setting in any of the DConf db directories
@@ -3166,7 +3166,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3241,7 +3241,7 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   +

Rule   Enable the GNOME3 Screen Locking On Smartcard Removal   [ref]

In the default graphical environment, screen locking on smartcard removal can be enabled by setting removal-action @@ -3258,7 +3258,7 @@ After the settings have been set, run dconf update.

Rationale:

Locking the screen automatically when removing the smartcard can prevent undesired access to system.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-83910-0

References:  - CCI-000056, CCI-000058, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020050, SV-230351r792899_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Check for setting in any of the DConf db directories
@@ -3319,7 +3319,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3471,7 +3471,7 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-
Group   Configure GNOME Screen Locking -   Group contains 5 rules

[ref]   +   Group contains 6 rules

[ref]   In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting Lock. @@ -3560,7 +3560,7 @@

For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see http://wiki.gnome.org/dconf and -the man page dconf(1).

Rule   +the man page dconf(1).

Rule   Set GNOME3 Screensaver Inactivity Timeout   [ref]

The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory @@ -3575,7 +3575,7 @@ system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80775-0

References:  - 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020060, SV-230352r646876_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 inactivity_timeout_value='900'
@@ -3620,7 +3620,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3691,7 +3691,7 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   +

Rule   Set GNOME3 Screensaver Lock Delay After Activation Period   [ref]

To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 5 in @@ -3702,7 +3702,7 @@ After the settings have been set, run dconf update.

Rationale:

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80776-8

References:  - 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020031, SV-244535r743854_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 var_screensaver_lock_delay='5'
@@ -3747,7 +3747,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3812,7 +3812,7 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   +

Rule   Enable GNOME3 Screensaver Lock After Idle Period   [ref]

To activate locking of the screensaver in the GNOME3 desktop when it is activated, @@ -3828,7 +3828,7 @@ After the settings have been set, run dconf update.

Rationale:

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80777-6

References:  - 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020030, SV-230347r627750_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Check for setting in any of the DConf db directories
@@ -3889,7 +3889,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4094,7 +4094,97 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   +

Rule   + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period +   [ref]

If not already configured, ensure that users cannot change GNOME3 screensaver lock settings +by adding 

/org/gnome/desktop/screensaver/lock-enabled
+to /etc/dconf/db/local.d/locks/00-security-settings. +For example: +
/org/gnome/desktop/screensaver/lock-enabled
+After the settings have been set, run dconf update.

Rationale:

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity +of the information system but does not want to logout because of the temporary nature of the absense.

Severity: 
medium
Identifiers and References

Identifiers:  + CCE-87261-4

References:  + 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020082, SV-244539r743866_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm; then
+
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
+            | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+    sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
+then
+    echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - CCE-87261-4
+  - CJIS-5.5.5
+  - DISA-STIG-RHEL-08-020082
+  - NIST-800-171-3.1.10
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-8.1.8
+  - dconf_gnome_screensaver_lock_locked
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+
+- name: Prevent user modification of GNOME Screensaver lock-enabled
+  lineinfile:
+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+    regexp: ^/org/gnome/desktop/screensaver/lock-enabled$
+    line: /org/gnome/desktop/screensaver/lock-enabled
+    create: true
+  when: '"gdm" in ansible_facts.packages'
+  tags:
+  - CCE-87261-4
+  - CJIS-5.5.5
+  - DISA-STIG-RHEL-08-020082
+  - NIST-800-171-3.1.10
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-8.1.8
+  - dconf_gnome_screensaver_lock_locked
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+
+- name: Dconf Update
+  command: dconf update
+  when: '"gdm" in ansible_facts.packages'
+  tags:
+  - CCE-87261-4
+  - CJIS-5.5.5
+  - DISA-STIG-RHEL-08-020082
+  - NIST-800-171-3.1.10
+  - NIST-800-53-CM-6(a)
+  - PCI-DSS-Req-8.1.8
+  - dconf_gnome_screensaver_lock_locked
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+

Rule   Ensure Users Cannot Change GNOME3 Screensaver Settings   [ref]

If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay @@ -4107,7 +4197,7 @@ GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80780-0

References:  - 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020080, SV-230354r743990_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Check for setting in any of the DConf db directories
@@ -4133,7 +4223,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4185,7 +4275,7 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   +

Rule   Ensure Users Cannot Change GNOME3 Session Idle Settings   [ref]

If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay @@ -4198,7 +4288,7 @@ GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80781-8

References:  - 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020081, SV-244538r743863_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Check for setting in any of the DConf db directories
@@ -4224,7 +4314,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4290,7 +4380,7 @@
 actions that users normally would not be able to do in non-graphical mode such as
 remote access configuration, power policies, Geo-location, etc.
 Configuring such settings in GNOME will prevent accidential graphical configuration
-changes by users from taking place.

Rule   +changes by users from taking place.

Rule   Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3   [ref]

By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed. @@ -4310,7 +4400,7 @@ the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Severity: 
high
Identifiers and References

Identifiers:  CCE-84028-0

References:  - 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.2, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-7(b), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040171, SV-230530r646883_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Check for setting in any of the DConf db directories
@@ -4371,7 +4461,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4463,7 +4553,7 @@
 that normally only root is allowed to execute.
 


 For more information on Sudo and addition Sudo configuration options, see
-https://www.sudo.ws.

Rule   +https://www.sudo.ws.

Rule   Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate   [ref]

The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the @@ -4474,7 +4564,7 @@ When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-82202-3

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010381, SV-230272r854027_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
@@ -4489,7 +4579,7 @@
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -4526,7 +4616,7 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Rule   +

Rule   Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled @@ -4540,7 +4630,7 @@ When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-82197-5

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010380, SV-230271r854026_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
@@ -4555,7 +4645,7 @@
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -4592,7 +4682,7 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
-

Rule   +

Rule   Require Re-Authentication When Using the sudo Command   [ref]

The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. @@ -4607,7 +4697,7 @@ When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-87838-9

References:  - CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, 5.3.5, 5.3.6, SV-237643r861088_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
+            CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, 5.3.5, 5.3.6, SV-237643r861088_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
 if rpm --quiet -q sudo; then
 
 var_sudo_timestamp_timeout='0'
@@ -4646,7 +4736,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -4741,7 +4831,7 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_require_reauthentication
-

Rule   +

Rule   The operating system must restrict privilege elevation to authorized personnel   [ref]

The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password @@ -4754,7 +4844,7 @@ and removing lines from the sudoers file can make the system non-administrable.

Rationale:

If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-83425-9

References:  - CCI-000366, CM-6(b), CM-6(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010382, SV-237641r646893_rule

Rule   + CCI-000366, CM-6(b), CM-6(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010382, SV-237641r646893_rule

Rule   Ensure sudo only includes the default configuration directory   [ref]

Administrators can configure authorized sudo users via drop-in files, and it is possible to include other directories and configuration files from the file currently being parsed. @@ -4769,7 +4859,7 @@ Use of these configuration options makes it easier for one compromised accound to be used to compromise other accounts.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-86377-9

References:  - CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010379, SV-251711r833385_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 sudoers_config_file="/etc/sudoers"
 sudoers_config_dir="/etc/sudoers.d"
 sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
@@ -4789,7 +4879,7 @@
 if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then
     sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/*
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Check for duplicate values
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:configure
- name: Check for duplicate values
   lineinfile:
     path: /etc/sudoers
     create: false
@@ -4906,7 +4996,7 @@
   - medium_severity
   - no_reboot_needed
   - sudoers_default_includedir
-

Rule   +

Rule   Ensure invoking users password for privilege escalation when using sudo   [ref]

The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. @@ -4922,7 +5012,7 @@ /etc/sudoers:Defaults !runaspw

Rationale:

If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-83422-6

References:  - CCI-000366, CCI-002227, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010383, SV-237642r880727_rule

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
+            CCI-000366, CCI-002227, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010383, SV-237642r880727_rule
Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q sudo; then
 
 if grep -x '^Defaults targetpw$' /etc/sudoers; then
@@ -4990,7 +5080,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -5371,18 +5461,18 @@
                 System Tooling / Utilities
                           Group contains 12 rules

[ref]   The following checks evaluate the system for recommended base packages -- both for installation -and removal.

Rule   +and removal.

Rule   Install rng-tools Package   [ref]

The rng-tools package can be installed with the following command: 

 $ sudo yum install rng-tools

Rationale:

rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.

Severity: 
low
Identifiers and References

Identifiers:  CCE-82968-9

References:  - CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010472, SV-244527r743830_rule

Remediation script:   (show)

Remediation script:   (show)


 [[packages]]
 name = "rng-tools"
 version = "*"
-
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
+
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 if ! rpm -q --quiet "rng-tools" ; then
@@ -5392,14 +5482,14 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_rng-tools
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_rng-tools
 
 class install_rng-tools {
   package { 'rng-tools':
     ensure => 'installed',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure rng-tools is installed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure rng-tools is installed
   package:
     name: rng-tools
     state: present
@@ -5413,16 +5503,16 @@
   - low_severity
   - no_reboot_needed
   - package_rng-tools_installed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

 package --add=rng-tools
-

Rule   +

Rule   Uninstall abrt-addon-ccpp Package   [ref]

The abrt-addon-ccpp package can be removed with the following command: 

 $ sudo yum erase abrt-addon-ccpp

Rationale:

abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's C/C++ analyzer plugin.

Severity: 
low
Identifiers and References

Identifiers:  CCE-82919-2

References:  - CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove abrt-addon-ccpp
 #	   from the system, and may remove any packages
 #	   that depend on abrt-addon-ccpp. Execute this
@@ -5434,14 +5524,14 @@
     yum remove -y "abrt-addon-ccpp"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-addon-ccpp
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-addon-ccpp
 
 class remove_abrt-addon-ccpp {
   package { 'abrt-addon-ccpp':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure abrt-addon-ccpp is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure abrt-addon-ccpp is removed
   package:
     name: abrt-addon-ccpp
     state: absent
@@ -5454,16 +5544,16 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-ccpp_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=abrt-addon-ccpp
-

Rule   +

Rule   Uninstall abrt-addon-kerneloops Package   [ref]

The abrt-addon-kerneloops package can be removed with the following command: 

 $ sudo yum erase abrt-addon-kerneloops

Rationale:

abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org.

Severity: 
low
Identifiers and References

Identifiers:  CCE-82926-7

References:  - CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove abrt-addon-kerneloops
 #	   from the system, and may remove any packages
 #	   that depend on abrt-addon-kerneloops. Execute this
@@ -5475,14 +5565,14 @@
     yum remove -y "abrt-addon-kerneloops"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-addon-kerneloops
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-addon-kerneloops
 
 class remove_abrt-addon-kerneloops {
   package { 'abrt-addon-kerneloops':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure abrt-addon-kerneloops is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure abrt-addon-kerneloops is removed
   package:
     name: abrt-addon-kerneloops
     state: absent
@@ -5495,16 +5585,16 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-kerneloops_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=abrt-addon-kerneloops
-

Rule   +

Rule   Uninstall abrt-cli Package   [ref]

The abrt-cli package can be removed with the following command: 

 $ sudo yum erase abrt-cli

Rationale:

abrt-cli contains a command line client for controlling abrt daemon over sockets.

Severity: 
low
Identifiers and References

Identifiers:  CCE-82907-7

References:  - CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove abrt-cli
 #	   from the system, and may remove any packages
 #	   that depend on abrt-cli. Execute this
@@ -5516,14 +5606,14 @@
     yum remove -y "abrt-cli"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-cli
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-cli
 
 class remove_abrt-cli {
   package { 'abrt-cli':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure abrt-cli is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure abrt-cli is removed
   package:
     name: abrt-cli
     state: absent
@@ -5536,15 +5626,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-cli_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=abrt-cli
-

Rule   +

Rule   Uninstall abrt-plugin-sosreport Package   [ref]

The abrt-plugin-sosreport package can be removed with the following command: 

 $ sudo yum erase abrt-plugin-sosreport

Rationale:

abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report.

Severity: 
low
Identifiers and References

Identifiers:  CCE-82910-1

References:  - CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove abrt-plugin-sosreport
 #	   from the system, and may remove any packages
 #	   that depend on abrt-plugin-sosreport. Execute this
@@ -5556,14 +5646,14 @@
     yum remove -y "abrt-plugin-sosreport"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-plugin-sosreport
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_abrt-plugin-sosreport
 
 class remove_abrt-plugin-sosreport {
   package { 'abrt-plugin-sosreport':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure abrt-plugin-sosreport is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure abrt-plugin-sosreport is removed
   package:
     name: abrt-plugin-sosreport
     state: absent
@@ -5576,9 +5666,9 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-plugin-sosreport_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=abrt-plugin-sosreport
-

Rule   +

Rule   Uninstall gssproxy Package   [ref]

The gssproxy package can be removed with the following command: 

@@ -5586,7 +5676,7 @@
                                         This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
 RHV uses NFS storage, which has dependency on gssproxy.
Rationale:

gssproxy is a proxy for GSS API credential handling.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-82943-2

References:  - CCI-000381, CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040370, SV-230559r646887_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000381, CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040370, SV-230559r646887_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove gssproxy
 #	   from the system, and may remove any packages
 #	   that depend on gssproxy. Execute this
@@ -5598,14 +5688,14 @@
     yum remove -y "gssproxy"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_gssproxy
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_gssproxy
 
 class remove_gssproxy {
   package { 'gssproxy':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure gssproxy is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure gssproxy is removed
   package:
     name: gssproxy
     state: absent
@@ -5618,14 +5708,14 @@
   - medium_severity
   - no_reboot_needed
   - package_gssproxy_removed
-

Rule   +

Rule   Uninstall iprutils Package   [ref]

The iprutils package can be removed with the following command: 

 $ sudo yum erase iprutils

Rationale:

iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-82946-5

References:  - CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040380, SV-230560r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040380, SV-230560r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove iprutils
 #	   from the system, and may remove any packages
 #	   that depend on iprutils. Execute this
@@ -5637,14 +5727,14 @@
     yum remove -y "iprutils"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_iprutils
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_iprutils
 
 class remove_iprutils {
   package { 'iprutils':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure iprutils is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure iprutils is removed
   package:
     name: iprutils
     state: absent
@@ -5657,9 +5747,9 @@
   - medium_severity
   - no_reboot_needed
   - package_iprutils_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=iprutils
-

Rule   +

Rule   Uninstall krb5-workstation Package   [ref]

The krb5-workstation package can be removed with the following command: 

@@ -5668,7 +5758,7 @@
 RHV hosts require ipa-client package, which has dependency on krb5-workstation.
Rationale:

Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd).

Severity: 
medium
Identifiers and References

Identifiers:  CCE-82931-7

References:  - CCI-000803, SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061, RHEL-08-010162, SV-230239r646864_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000803, SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061, RHEL-08-010162, SV-230239r646864_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove krb5-workstation
 #	   from the system, and may remove any packages
 #	   that depend on krb5-workstation. Execute this
@@ -5680,14 +5770,14 @@
     yum remove -y "krb5-workstation"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_krb5-workstation
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_krb5-workstation
 
 class remove_krb5-workstation {
   package { 'krb5-workstation':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure krb5-workstation is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure krb5-workstation is removed
   package:
     name: krb5-workstation
     state: absent
@@ -5700,16 +5790,16 @@
   - medium_severity
   - no_reboot_needed
   - package_krb5-workstation_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=krb5-workstation
-

Rule   +

Rule   Uninstall libreport-plugin-logger Package   [ref]

The libreport-plugin-logger package can be removed with the following command: 

 $ sudo yum erase libreport-plugin-logger

Rationale:

libreport-plugin-logger is a ABRT plugin to report bugs into the Red Hat Support system.

Severity: 
low
Identifiers and References

Identifiers:  CCE-89201-8

References:  - CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove libreport-plugin-logger
 #	   from the system, and may remove any packages
 #	   that depend on libreport-plugin-logger. Execute this
@@ -5721,14 +5811,14 @@
     yum remove -y "libreport-plugin-logger"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_libreport-plugin-logger
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_libreport-plugin-logger
 
 class remove_libreport-plugin-logger {
   package { 'libreport-plugin-logger':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure libreport-plugin-logger is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure libreport-plugin-logger is removed
   package:
     name: libreport-plugin-logger
     state: absent
@@ -5741,16 +5831,16 @@
   - low_severity
   - no_reboot_needed
   - package_libreport-plugin-logger_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=libreport-plugin-logger
-

Rule   +

Rule   Uninstall libreport-plugin-rhtsupport Package   [ref]

The libreport-plugin-rhtsupport package can be removed with the following command: 

 $ sudo yum erase libreport-plugin-rhtsupport

Rationale:

libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system.

Severity: 
low
Identifiers and References

Identifiers:  CCE-88955-0

References:  - CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove libreport-plugin-rhtsupport
 #	   from the system, and may remove any packages
 #	   that depend on libreport-plugin-rhtsupport. Execute this
@@ -5762,14 +5852,14 @@
     yum remove -y "libreport-plugin-rhtsupport"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_libreport-plugin-rhtsupport
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_libreport-plugin-rhtsupport
 
 class remove_libreport-plugin-rhtsupport {
   package { 'libreport-plugin-rhtsupport':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure libreport-plugin-rhtsupport is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure libreport-plugin-rhtsupport is removed
   package:
     name: libreport-plugin-rhtsupport
     state: absent
@@ -5782,16 +5872,16 @@
   - low_severity
   - no_reboot_needed
   - package_libreport-plugin-rhtsupport_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=libreport-plugin-rhtsupport
-

Rule   +

Rule   Uninstall python3-abrt-addon Package   [ref]

The python3-abrt-addon package can be removed with the following command: 

 $ sudo yum erase python3-abrt-addon

Rationale:

python3-abrt-addon contains python hook and python analyzer plugin for handling uncaught exceptions in python programs.

Severity: 
low
Identifiers and References

Identifiers:  CCE-86084-1

References:  - CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove python3-abrt-addon
 #	   from the system, and may remove any packages
 #	   that depend on python3-abrt-addon. Execute this
@@ -5803,14 +5893,14 @@
     yum remove -y "python3-abrt-addon"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_python3-abrt-addon
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_python3-abrt-addon
 
 class remove_python3-abrt-addon {
   package { 'python3-abrt-addon':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure python3-abrt-addon is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure python3-abrt-addon is removed
   package:
     name: python3-abrt-addon
     state: absent
@@ -5823,9 +5913,9 @@
   - low_severity
   - no_reboot_needed
   - package_python3-abrt-addon_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=python3-abrt-addon
-

Rule   +

Rule   Uninstall tuned Package   [ref]

The tuned package can be removed with the following command: 

@@ -5836,7 +5926,7 @@
 on that information, components will then be put into lower or higher power savings
 modes to adapt to the current usage.
Severity: 
medium
Identifiers and References

Identifiers:  CCE-82904-4

References:  - CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040390, SV-230561r627750_rule

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+            CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040390, SV-230561r627750_rule
Remediation Shell script:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 # CAUTION: This remediation script will remove tuned
 #	   from the system, and may remove any packages
 #	   that depend on tuned. Execute this
@@ -5848,14 +5938,14 @@
     yum remove -y "tuned"
 
 fi
-
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_tuned
+
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
include remove_tuned
 
 class remove_tuned {
   package { 'tuned':
     ensure => 'purged',
   }
 }
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure tuned is removed
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable
- name: Ensure tuned is removed
   package:
     name: tuned
     state: absent
@@ -5868,7 +5958,7 @@
   - medium_severity
   - no_reboot_needed
   - package_tuned_removed
-
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

+
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:disable

 package --remove=tuned
Group   Updating Software @@ -5882,7 +5972,7 @@ the RPM database, which records metadata of installed packages. Consistently using yum or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system. -

Rule   +

Rule   Ensure yum Removes Previous Package Versions   [ref]

yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the @@ -5893,7 +5983,7 @@ to 1 in /etc/yum.conf.

Rationale:

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Severity: 
low
Identifiers and References

Identifiers:  CCE-82476-3

References:  - 18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 3.4.8, CCI-002617, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, RHEL-08-010440, SV-230281r854034_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q yum; then
 
 if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then
@@ -5906,7 +5996,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -5947,7 +6037,7 @@
   - low_severity
   - no_reboot_needed
   - restrict_strategy
-

Rule   +

Rule   Ensure gpgcheck Enabled In Main yum Configuration   [ref]

The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. @@ -5969,7 +6059,7 @@ this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

Severity: 
high
Identifiers and References

Identifiers:  CCE-80790-9

References:  - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-08-010370, 1.2.3, SV-230264r880711_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q yum; then
 
 # Strip any search characters in the key arg so that the key can be replaced without
@@ -5997,7 +6087,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6054,7 +6144,7 @@
   - low_complexity
   - medium_disruption
   - no_reboot_needed
-

Rule   +

Rule   Ensure gpgcheck Enabled for Local Packages   [ref]

yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local @@ -6065,7 +6155,7 @@ Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Severity: 
high
Identifiers and References

Identifiers:  CCE-80791-7

References:  - BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, RHEL-08-010371, SV-230265r877463_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q yum; then
 
 # Strip any search characters in the key arg so that the key can be replaced without
@@ -6093,7 +6183,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6152,7 +6242,7 @@
   - medium_disruption
   - no_reboot_needed
   - unknown_strategy
-

Rule   +

Rule   Ensure gpgcheck Enabled for All yum Package Repositories   [ref]

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: @@ -6163,9 +6253,9 @@ requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."

Severity: 
high
Identifiers and References

Identifiers:  CCE-80792-5

References:  - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, RHEL-08-010370, SV-230264r880711_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)


 sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:enable
- name: Grep for yum repo section names
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:enable
- name: Grep for yum repo section names
   shell: |
     set -o pipefail
     grep -HEr '^\[.+\]' -r /etc/yum.repos.d/
@@ -6226,7 +6316,7 @@
   - low_complexity
   - medium_disruption
   - no_reboot_needed
-

Rule   +

Rule   Ensure Red Hat GPG Key Installed   [ref]

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), @@ -6249,7 +6339,7 @@ The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

Severity: 
high
Identifiers and References

Identifiers:  CCE-80795-8

References:  - BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-08-010019, 1.2.2, SV-256973r902752_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
 readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51"
 readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
 
@@ -6276,7 +6366,7 @@
     }
   fi
 fi
-
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:false
Strategy:restrict
- name: Read permission of GPG key directory
+
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Reboot:false
Strategy:restrict
- name: Read permission of GPG key directory
   stat:
     path: /etc/pki/rpm-gpg/
   register: gpg_key_directory_permission
@@ -6393,7 +6483,7 @@
   - medium_disruption
   - no_reboot_needed
   - restrict_strategy
-

Rule   +

Rule   Ensure Software Patches Installed   [ref]

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, @@ -6411,10 +6501,10 @@ users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80865-9

References:  - BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, RHEL-08-010010, 1.9, SV-230222r627750_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

Complexity:low
Disruption:high
Reboot:true
Strategy:patch

 
 yum -y update
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:true
Strategy:patch
- name: Security patches are up to date
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:true
Strategy:patch
- name: Security patches are up to date
   package:
     name: '*'
     state: latest
@@ -6436,7 +6526,7 @@
   - skip_ansible_lint
Group   Account and Access Control -   Group contains 18 groups and 77 rules

[ref]   +   Group contains 18 groups and 79 rules

[ref]   In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, @@ -6470,7 +6560,7 @@ by the GNOME Display Manager (GDM). The warning banner should be displayed in this graphical environment for these users. The following sections describe how to configure the GDM login -banner.

Rule   +banner.

Rule   Enable GNOME3 Login Warning Banner   [ref]

In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login @@ -6492,7 +6582,7 @@ For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80768-5

References:  - 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010049, 1.8.2, SV-244519r743806_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm; then
 
 # Check for setting in any of the DConf db directories
@@ -6553,7 +6643,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6630,7 +6720,7 @@
   - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   +

Rule   Modify the System Login Banner   [ref]

To configure the system login banner edit /etc/issue. Replace the @@ -6903,7 +6993,7 @@ with human users and are not required when such human interfaces do not exist.

Severity: 
medium
Identifiers and References

Identifiers:  CCE-80763-6

References:  - 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010060, 1.7.2, SV-230227r627750_rule

Remediation Shell script:   (show)

Remediation Shell script:   (show)

# Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
 login_banner_text='^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$'
@@ -6929,7 +7019,7 @@
 else
     >&2 echo 'Remediation is not applicable, nothing was done'
 fi
-
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: XCCDF Value login_banner_text # promote to variable
+
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: XCCDF Value login_banner_text # promote to variable
   set_fact:
     login_banner_text: !!str ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
   tags:
@@ -6956,7 +7046,7 @@
   - unknown_strategy
Group   Protect Accounts by Configuring PAM -   Group contains 4 groups and 29 rules

[ref]   +   Group contains 4 groups and 31 rules

[ref]   PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it should be configured @@ -6997,7 +7087,7 @@ https://fossies.org/linux/Linux-PAM-docs/doc/sag/Linux-PAM_SAG.pdf.

Group   Set Lockouts for Failed Password Attempts -   Group contains 10 rules

[ref]   +   Group contains 12 rules

[ref]   The pam_faillock PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in @@ -7007,13 +7097,23 @@ risk of a denial-of-service attack. The lockout policy must weigh whether the risk of such a denial-of-service attack outweighs the benefits of thwarting -password guessing attacks.