diff --git a/ssg-rhel8-ds-1.2.xml b/ssg-rhel8-ds-1.2.xml
index cdc82ae..07bb388 100644
--- a/ssg-rhel8-ds-1.2.xml
+++ b/ssg-rhel8-ds-1.2.xml
@@ -23,7 +23,7 @@
-
+
Red Hat Enterprise Linux 8
@@ -75,9 +75,9 @@
-
+
- draft
+ draft
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -120,170 +120,161 @@ trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.
-
-
-
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
+
+
+
+
+
-
+
-
+
+
-
+
-
+
+
+
+
-
+
-
-
+
-
+
-
-
-
+
+
+
+
+
-
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
-
-
+
+
+
-
+
-
+
-
+
-
+
+
-
+
-
-
-
-
+
+
-
+
-
+
+
+
-
+
-
-
-
-
+
-
+
-
-
-
-
-
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
-
+
-
+
-
+
+
+
-
+
-
+
@@ -291,48 +282,56 @@ respective companies.
-
-
-
-
+
+
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
-
+
+
+
+
+
+
+
@@ -341,48 +340,44 @@ respective companies.
-
+
-
+
-
+
-
+
-
+
-
-
+
-
+
+
+
+
+
+
-
+
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
@@ -391,118 +386,94 @@ respective companies.
-
+
-
-
-
-
+
-
+
-
+
-
-
-
-
+
+
+
-
+
-
-
-
-
+
+
-
+
-
-
-
+
-
-
-
-
-
-
+
-
+
-
+
-
-
+
-
+
-
-
+
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
-
+
-
+
+
-
+
-
+
-
+
-
-
+
-
+
-
+
+
-
-
-
+
+
+
+
@@ -516,26 +487,55 @@ respective companies.
-
+
-
+
-
+
-
+
+
-
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
@@ -842,246 +842,246 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
-
-
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1312,320 +1312,320 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
-
-
-
-
-
+
+
-
-
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1858,175 +1858,175 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
-
+
+
+
+
+
+
+
+
+
+
-
-
-
+
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2267,53 +2267,53 @@ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
A copy of the ANSSI-BP-028 can be found at the ANSSI website:
https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
-
-
+
+
+
+
+
-
-
+
+
+
-
-
-
-
-
-
+
+
+
+
+
-
+
-
-
-
-
+
+
+
+
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
+
-
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
@@ -2567,365 +2567,365 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security®
Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
https://www.cisecurity.org/benchmark/red_hat_linux/
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3130,289 +3130,289 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security®
Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
https://www.cisecurity.org/benchmark/red_hat_linux/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
+
+
+
+
-
-
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3623,282 +3623,282 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security®
Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
https://www.cisecurity.org/benchmark/red_hat_linux/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
-
-
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4116,361 +4116,361 @@ Linux 8 Benchmark™, v2.0.0, released 2022-02-23.
This profile includes Center for Internet Security®
Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
https://www.cisecurity.org/benchmark/red_hat_linux/
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4679,111 +4679,111 @@ Policy Resource Center:
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
-
-
-
-
-
+
+
+
-
-
-
-
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
-
-
+
+
-
-
+
+
@@ -5030,216 +5030,216 @@ in NIST Special Publication 800-53.
This profile configures Red Hat Enterprise Linux 8 to the NIST Special
Publication 800-53 controls identified for securing Controlled Unclassified
Information (CUI)."
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
-
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5472,104 +5472,104 @@ ACSC website:
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
-
-
-
+
+
+
+
+
-
-
+
+
+
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -5795,143 +5795,143 @@ This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security
Rule identified for securing of electronic protected health information.
Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
https://www.hhs.gov/hipaa/for-professionals/index.html
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
-
-
+
-
-
+
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
@@ -6153,157 +6153,157 @@ A copy of the ISM can be found at the ACSC website:
https://www.cyber.gov.au/ism
https://www.cyber.gov.au/ism
-
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
+
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
+
+
-
-
-
+
+
+
+
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -6510,216 +6510,216 @@ U.S. National Security Systems to adhere to certain configuration
parameters. Accordingly, this configuration profile is suitable for
use in U.S. National Security Systems.
https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
-
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -6952,263 +6952,263 @@ financial information.
This profile ensures Red Hat Enterprise Linux 8 is configured in alignment
with PCI-DSS v4.0 requirements.
https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
-
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
+
-
-
-
+
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
@@ -7412,77 +7412,77 @@ with PCI-DSS v4.0 requirements.
configuration settings recommended by Red Hat, Inc for
Red Hat Enterprise Linux 8 instances deployed by Red Hat Certified
Cloud Providers.
-
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
+
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
@@ -7722,85 +7722,85 @@ Cloud Providers.
This profile contains rules to ensure standard security baseline
of a Red Hat Enterprise Linux 8 system. Regardless of your system's workload
all of these checks should pass.
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
-
+
-
-
-
-
+
-
-
-
-
-
-
+
-
+
+
+
+
+
-
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
+
-
+
+
+
+
+
-
-
-
-
+
+
+
+
+
@@ -8039,416 +8039,416 @@ Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
- Red Hat Storage
- Red Hat Containers with a Red Hat Enterprise Linux 8 image
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
@@ -8670,413 +8670,413 @@ your Information Systems Security Officer (ISSO) lacks a documented operational
requirement for a graphical user interface, please consider using the
standard DISA STIG for Red Hat Enterprise Linux 8 profile.
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
@@ -9418,16 +9418,6 @@ Alternatively, the package can be reinstalled from trusted media using the comma
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.
CCE-80857-6
-
-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-
-yum reinstall -y $packages_to_reinstall
-
- name: 'Set fact: Package manager reinstall command (dnf)'
set_fact:
package_manager_reinstall_cmd: dnf reinstall -y
@@ -9587,6 +9577,16 @@ yum reinstall -y $packages_to_reinstall
- no_reboot_needed
- restrict_strategy
- rpm_verify_hashes
+
+
+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+yum reinstall -y $packages_to_reinstall
@@ -9727,28 +9727,6 @@ could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.
CCE-82196-7
-
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --setugids "${RPM_PACKAGE}"
-done
-
- name: Read list of files with incorrect ownership
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nomode
@@ -9829,6 +9807,28 @@ done
- no_reboot_needed
- restrict_strategy
- rpm_verify_ownership
+
+
+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+ RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
+ # Use an associative array to store packages as it's keys, not having to care about duplicates.
+ SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+ rpm --setugids "${RPM_PACKAGE}"
+done
@@ -9983,32 +9983,6 @@ could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
CCE-80858-4
-
-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
- # NOTE: some files maybe controlled by more then one package
- readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
- for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
- do
- # Use an associative array to store packages as it's keys, not having to care about duplicates.
- SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
- done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
- rpm --restore "${RPM_PACKAGE}"
-done
-
- name: Read list of files with incorrect permissions
command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
--nocaps --nolinkto --nouser --nogroup
@@ -10092,6 +10066,32 @@ done
- no_reboot_needed
- restrict_strategy
- rpm_verify_permissions
+
+
+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+ # NOTE: some files maybe controlled by more then one package
+ readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+ for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+ do
+ # Use an associative array to store packages as it's keys, not having to care about duplicates.
+ SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+ done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+ rpm --restore "${RPM_PACKAGE}"
+done
@@ -10194,21 +10194,13 @@ $ sudo yum install aide
SV-251710r880730_rule
The AIDE package must be installed if it is to be available for integrity checking.
CCE-80844-4
+
+package --add=aide
+
[[packages]]
name = "aide"
version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
include install_aide
@@ -10237,8 +10229,16 @@ class install_aide {
- no_reboot_needed
- package_aide_installed
-
-package --add=aide
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -10341,20 +10341,6 @@ If this check produces any unexpected output, investigate.For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
CCE-80675-2
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-/usr/sbin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
ansible.builtin.package:
name: '{{ item }}'
@@ -10435,6 +10421,20 @@ fi
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+/usr/sbin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -10472,68 +10472,6 @@ provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files.
CCE-85964-5
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-
-
-
-
-
-
-
-
-
-if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/rsyslogd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/rsyslogd.*#/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure aide is installed
package:
name: '{{ item }}'
@@ -10612,6 +10550,68 @@ fi
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/rsyslogd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/rsyslogd.*#/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -10720,24 +10720,6 @@ system. The operating system's Information Management Officer (IMO)/Information
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item.
CCE-80676-0
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
- echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
-else
- sed -i '\!^.* --check.*$!d' /etc/crontab
- echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Ensure AIDE is installed
package:
name: '{{ item }}'
@@ -10845,6 +10827,24 @@ fi
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
+ echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+else
+ sed -i '\!^.* --check.*$!d' /etc/crontab
+ echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -10924,36 +10924,6 @@ system. The operating system's Information Management Officer (IMO)/Information
Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
monitoring system trap when there is an unauthorized modification of a configuration item.
CCE-82891-3
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-var_aide_scan_notification_email=''
-
-
-
-CRONTAB=/etc/crontab
-CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
-
-# NOTE: on some platforms, /etc/crontab may not exist
-if [ -f /etc/crontab ]; then
- CRONTAB_EXIST=/etc/crontab
-fi
-
-if [ -f /var/spool/cron/root ]; then
- VARSPOOL=/var/spool/cron/root
-fi
-
-if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
- echo "0 5 * * * root /usr/sbin/aide --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
set_fact:
var_aide_scan_notification_email: !!str
@@ -11000,6 +10970,36 @@ fi
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+var_aide_scan_notification_email=''
+
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+ CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+ VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+ echo "0 5 * * * root /usr/sbin/aide --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -11146,37 +11146,6 @@ The remediation provided with this rule adds acl to all r
ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools.
CCE-84220-3
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-aide_conf="/etc/aide.conf"
-
-groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
-
-for group in $groups
-do
- config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
-
- if ! [[ $config = *acl* ]]
- then
- if [[ -z $config ]]
- then
- config="acl"
- else
- config=$config"+acl"
- fi
- fi
- sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
-done
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather list of packages
package_facts:
manager: auto
@@ -11238,6 +11207,37 @@ fi
- low_severity
- no_reboot_needed
- restrict_strategy
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+aide_conf="/etc/aide.conf"
+
+groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+
+for group in $groups
+do
+ config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
+
+ if ! [[ $config = *acl* ]]
+ then
+ if [[ -z $config ]]
+ then
+ config="acl"
+ else
+ config=$config"+acl"
+ fi
+ fi
+ sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -11288,37 +11288,6 @@ The remediation provided with this rule adds xattrs to al
Extended attributes in file systems are used to contain arbitrary data and file metadata
with security implications.
CCE-83733-6
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "aide" ; then
- yum install -y "aide"
-fi
-
-aide_conf="/etc/aide.conf"
-
-groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
-
-for group in $groups
-do
- config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
-
- if ! [[ $config = *xattrs* ]]
- then
- if [[ -z $config ]]
- then
- config="xattrs"
- else
- config=$config"+xattrs"
- fi
- fi
- sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
-done
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather list of packages
package_facts:
manager: auto
@@ -11380,6 +11349,37 @@ fi
- low_severity
- no_reboot_needed
- restrict_strategy
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "aide" ; then
+ yum install -y "aide"
+fi
+
+aide_conf="/etc/aide.conf"
+
+groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+
+for group in $groups
+do
+ config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')
+
+ if ! [[ $config = *xattrs* ]]
+ then
+ if [[ -z $config ]]
+ then
+ config="xattrs"
+ else
+ config=$config"+xattrs"
+ fi
+ fi
+ sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -11407,21 +11407,6 @@ Audit tools must have the correct group owner.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
CCE-86239-1
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-chgrp 0 /sbin/auditctl
-chgrp 0 /sbin/aureport
-chgrp 0 /sbin/ausearch
-chgrp 0 /sbin/autrace
-chgrp 0 /sbin/auditd
-chgrp 0 /sbin/rsyslogd
-chgrp 0 /sbin/augenrules
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Test for existence /sbin/auditctl
stat:
path: /sbin/auditctl
@@ -11659,6 +11644,21 @@ fi
- low_disruption
- medium_severity
- no_reboot_needed
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+chgrp 0 /sbin/auditctl
+chgrp 0 /sbin/aureport
+chgrp 0 /sbin/ausearch
+chgrp 0 /sbin/autrace
+chgrp 0 /sbin/auditd
+chgrp 0 /sbin/rsyslogd
+chgrp 0 /sbin/augenrules
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -11686,21 +11686,6 @@ Audit tools must have the correct owner.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
CCE-86259-9
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-chown 0 /sbin/auditctl
-chown 0 /sbin/aureport
-chown 0 /sbin/ausearch
-chown 0 /sbin/autrace
-chown 0 /sbin/auditd
-chown 0 /sbin/rsyslogd
-chown 0 /sbin/augenrules
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Test for existence /sbin/auditctl
stat:
path: /sbin/auditctl
@@ -11938,6 +11923,21 @@ fi
- low_disruption
- medium_severity
- no_reboot_needed
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+chown 0 /sbin/auditctl
+chown 0 /sbin/aureport
+chown 0 /sbin/ausearch
+chown 0 /sbin/autrace
+chown 0 /sbin/auditd
+chown 0 /sbin/rsyslogd
+chown 0 /sbin/augenrules
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -11963,27 +11963,6 @@ Audit tools must have a mode of 0755 or less permissive.
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information.
CCE-86227-6
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-chmod u-s,g-ws,o-wt /sbin/auditctl
-
-chmod u-s,g-ws,o-wt /sbin/aureport
-
-chmod u-s,g-ws,o-wt /sbin/ausearch
-
-chmod u-s,g-ws,o-wt /sbin/autrace
-
-chmod u-s,g-ws,o-wt /sbin/auditd
-
-chmod u-s,g-ws,o-wt /sbin/rsyslogd
-
-chmod u-s,g-ws,o-wt /sbin/augenrules
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Test for existence /sbin/auditctl
stat:
path: /sbin/auditctl
@@ -12221,6 +12200,27 @@ fi
- low_disruption
- medium_severity
- no_reboot_needed
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+chmod u-s,g-ws,o-wt /sbin/auditctl
+
+chmod u-s,g-ws,o-wt /sbin/aureport
+
+chmod u-s,g-ws,o-wt /sbin/ausearch
+
+chmod u-s,g-ws,o-wt /sbin/autrace
+
+chmod u-s,g-ws,o-wt /sbin/auditd
+
+chmod u-s,g-ws,o-wt /sbin/rsyslogd
+
+chmod u-s,g-ws,o-wt /sbin/augenrules
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -12286,19 +12286,6 @@ protect data. The operating system must implement cryptographic modules adhering
standards approved by the federal government since this provides assurance they have been tested
and validated.
CCE-82155-3
- # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then
-
-fips-mode-setup --enable
-FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
-if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
- echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
@@ -12365,6 +12352,19 @@ fi
- medium_disruption
- reboot_required
- restrict_strategy
+
+ # Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ); then
+
+fips-mode-setup --enable
+FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
+if ! grep "^add_dracutmodules+=\" fips \"" $FIPS_CONF; then
+ echo "add_dracutmodules+=\" fips \"" >> $FIPS_CONF
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -12418,33 +12418,6 @@ standards approved by the federal government since this provides assurance they
and validated.
CCE-80942-6
- # Remediation is applicable only in certain platforms
-if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-var_system_crypto_policy=''
-
-
-fips-mode-setup --enable
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str
@@ -12551,6 +12524,33 @@ fi
- medium_disruption
- reboot_required
- restrict_strategy
+
+ # Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+var_system_crypto_policy=''
+
+
+fips-mode-setup --enable
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -12734,15 +12734,13 @@ $ sudo yum install crypto-policies
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data.
CCE-82723-8
+
+package --add=crypto-policies
+
[[packages]]
name = "crypto-policies"
version = "*"
-
-
-if ! rpm -q --quiet "crypto-policies" ; then
- yum install -y "crypto-policies"
-fi
include install_crypto-policies
@@ -12765,8 +12763,10 @@ class install_crypto-policies {
- no_reboot_needed
- package_crypto-policies_installed
-
-package --add=crypto-policies
+
+if ! rpm -q --quiet "crypto-policies" ; then
+ yum install -y "crypto-policies"
+fi
@@ -12878,24 +12878,26 @@ submits to this process.
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data.
CCE-80935-0
-
-var_system_crypto_policy=''
-
-
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
-fi
+ ---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+ config:
+ ignition:
+ version: 3.1.0
+ systemd:
+ units:
+ - name: configure-crypto-policy.service
+ enabled: true
+ contents: |
+ [Unit]
+ Before=kubelet.service
+ [Service]
+ Type=oneshot
+ ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+ RemainAfterExit=yes
+ [Install]
+ WantedBy=multi-user.target
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
@@ -12947,26 +12949,24 @@ fi
- no_reboot_needed
- restrict_strategy
- ---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
- config:
- ignition:
- version: 3.1.0
- systemd:
- units:
- - name: configure-crypto-policy.service
- enabled: true
- contents: |
- [Unit]
- Before=kubelet.service
- [Service]
- Type=oneshot
- ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
- RemainAfterExit=yes
- [Install]
- WantedBy=multi-user.target
+
+var_system_crypto_policy=''
+
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
@@ -12996,29 +12996,6 @@ line and is not commented out:
library violate expectations, and makes system configuration more
fragmented.
CCE-84254-2
-
-CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config
-correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
-
-grep -q ${correct_value} ${CONF_FILE}
-
-if [[ $? -ne 0 ]]; then
- # We need to get the existing value, using PCRE to maintain same regex
- existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE})
-
- if [[ ! -z ${existing_value} ]]; then
- # replace existing_value with correct_value
- sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
- else
- # ***NOTE*** #
- # This probably means this file is not here or it's been modified
- # unintentionally.
- # ********** #
- # echo correct_value to end
- echo ${correct_value} >> ${CONF_FILE}
- fi
-fi
-
- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact'
set_fact:
path: /etc/crypto-policies/back-ends/gnutls.config
@@ -13100,6 +13077,29 @@ fi
- medium_severity
- reboot_required
- restrict_strategy
+
+
+CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config
+correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
+
+grep -q ${correct_value} ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+ # We need to get the existing value, using PCRE to maintain same regex
+ existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE})
+
+ if [[ ! -z ${existing_value} ]]; then
+ # replace existing_value with correct_value
+ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+ else
+ # ***NOTE*** #
+ # This probably means this file is not here or it's been modified
+ # unintentionally.
+ # ********** #
+ # echo correct_value to end
+ echo ${correct_value} >> ${CONF_FILE}
+ fi
+fi
@@ -13130,10 +13130,6 @@ If the symlink exists, Kerberos is configured to use the system-wide crypto poli
Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented.
CCE-80936-8
-
-rm -f /etc/krb5.conf.d/crypto-policies
-ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
-
- name: Configure Kerberos to use System Crypto Policy
file:
src: /etc/crypto-policies/back-ends/krb5.config
@@ -13151,6 +13147,10 @@ ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policie
- low_complexity
- low_disruption
- reboot_required
+
+
+rm -f /etc/krb5.conf.d/crypto-policies
+ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies
@@ -13187,18 +13187,6 @@ is not commented out or superseded by later includes:
service violate expectations, and makes system configuration more
fragmented.
CCE-80937-6
-
-function remediate_libreswan_crypto_policy() {
- CONFIG_FILE="/etc/ipsec.conf"
- if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then
- # the file might not end with a new line
- echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE"
- fi
- return 0
-}
-
-remediate_libreswan_crypto_policy
-
- name: Configure Libreswan to use System Crypto Policy
lineinfile:
path: /etc/ipsec.conf
@@ -13219,6 +13207,18 @@ remediate_libreswan_crypto_policy
- low_disruption
- no_reboot_needed
- restrict_strategy
+
+
+function remediate_libreswan_crypto_policy() {
+ CONFIG_FILE="/etc/ipsec.conf"
+ if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then
+ # the file might not end with a new line
+ echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE"
+ fi
+ return 0
+}
+
+remediate_libreswan_crypto_policy
@@ -13254,37 +13254,6 @@ if there is a [ crypto_policy ] section that contains the
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented.
CCE-80938-4
-
-OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
-OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
-
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
-
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
-
-
-
-
-
-
-function remediate_openssl_crypto_policy() {
- CONFIG_FILE=/etc/pki/tls/openssl.cnf
- if test -f "$CONFIG_FILE"; then
- if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then
- printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE"
- return 0
- elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then
- sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE"
- return 0
- fi
- else
- echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2
- return 1
- fi
-}
-
-remediate_openssl_crypto_policy
-
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
Section
ansible.builtin.find:
@@ -13389,6 +13358,37 @@ remediate_openssl_crypto_policy
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+
+OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
+OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
+
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
+
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
+
+
+
+
+
+
+function remediate_openssl_crypto_policy() {
+ CONFIG_FILE=/etc/pki/tls/openssl.cnf
+ if test -f "$CONFIG_FILE"; then
+ if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then
+ printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE"
+ return 0
+ elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then
+ sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE"
+ return 0
+ fi
+ else
+ echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2
+ return 1
+ fi
+}
+
+remediate_openssl_crypto_policy
@@ -13478,11 +13478,6 @@ in the /etc/sysconfig/sshd.
Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented.
CCE-80939-2
-
-SSH_CONF="/etc/sysconfig/sshd"
-
-sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
-
- name: Configure SSH to use System Crypto Policy
lineinfile:
dest: /etc/sysconfig/sshd
@@ -13504,6 +13499,11 @@ sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
- medium_disruption
- medium_severity
- reboot_required
+
+
+SSH_CONF="/etc/sysconfig/sshd"
+
+sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF
@@ -13538,15 +13538,6 @@ variable configured with predefined value.
are configured e.g. cipher suites. Currently particular requirements
specified by CC are stricter compared to any existing Crypto Policy.
CCE-84286-4
-
-cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
-file="/etc/crypto-policies/local.d/opensslcnf-ospp.config"
-backend_file="/etc/crypto-policies/back-ends/opensslcnf.config"
-
-sed -i "/Ciphersuites\s*=\s*/d" "$backend_file"
-printf "\n%s\n" "$cp" >> "$file"
-update-crypto-policies
-
- name: Remove configuration from backend file /etc/crypto-policies/back-ends/opensslcnf.config
lineinfile:
path: /etc/crypto-policies/back-ends/opensslcnf.config
@@ -13593,6 +13584,15 @@ update-crypto-policies
- medium_severity
- reboot_required
- restrict_strategy
+
+
+cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+file="/etc/crypto-policies/local.d/opensslcnf-ospp.config"
+backend_file="/etc/crypto-policies/back-ends/opensslcnf.config"
+
+sed -i "/Ciphersuites\s*=\s*/d" "$backend_file"
+printf "\n%s\n" "$cp" >> "$file"
+update-crypto-policies
@@ -13688,25 +13688,6 @@ specifying a cipher list with the order of ciphers being in a “strongest
weakest” orientation, the system will automatically attempt to use the
strongest cipher for securing SSH connections.
CCE-85902-5
-
-sshd_approved_ciphers=''
-
-
-if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
-
- LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
-else
- touch "/etc/crypto-policies/back-ends/openssh.config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config"
-
-cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak"
-# Insert at the end of the file
-printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config"
-# Clean up after ourselves.
-rm "/etc/crypto-policies/back-ends/openssh.config.bak"
-
- name: XCCDF Value sshd_approved_ciphers # promote to variable
set_fact:
sshd_approved_ciphers: !!str
@@ -13751,6 +13732,25 @@ rm "/etc/crypto-policies/back-ends/openssh.config.bak"
- low_disruption
- reboot_required
- restrict_strategy
+
+
+sshd_approved_ciphers=''
+
+
+if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
+
+ LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
+else
+ touch "/etc/crypto-policies/back-ends/openssh.config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config"
+
+cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak"
+# Insert at the end of the file
+printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config"
+# Clean up after ourselves.
+rm "/etc/crypto-policies/back-ends/openssh.config.bak"
@@ -13800,38 +13800,6 @@ specifying a cipher list with the order of ciphers being in a “strongest
weakest” orientation, the system will automatically attempt to use the
strongest cipher for securing SSH connections.
CCE-85897-7
-
-sshd_approved_ciphers=''
-
-
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
-correct_value="-oCiphers=${sshd_approved_ciphers}"
-
-# Test if file exists
-test -f ${CONF_FILE} || touch ${CONF_FILE}
-
-# Ensure CRYPTO_POLICY is not commented out
-sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
-
-grep -q "'${correct_value}'" ${CONF_FILE}
-
-if [[ $? -ne 0 ]]; then
- # We need to get the existing value, using PCRE to maintain same regex
- existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
-
- if [[ ! -z ${existing_value} ]]; then
- # replace existing_value with correct_value
- sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
- else
- # ***NOTE*** #
- # This probably means this file is not here or it's been modified
- # unintentionally.
- # ********** #
- # echo correct_value to end
- echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
- fi
-fi
-
- name: XCCDF Value sshd_approved_ciphers # promote to variable
set_fact:
sshd_approved_ciphers: !!str
@@ -13919,6 +13887,38 @@ fi
- medium_severity
- reboot_required
- restrict_strategy
+
+
+sshd_approved_ciphers=''
+
+
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oCiphers=${sshd_approved_ciphers}"
+
+# Test if file exists
+test -f ${CONF_FILE} || touch ${CONF_FILE}
+
+# Ensure CRYPTO_POLICY is not commented out
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+
+grep -q "'${correct_value}'" ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+ # We need to get the existing value, using PCRE to maintain same regex
+ existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
+
+ if [[ ! -z ${existing_value} ]]; then
+ # replace existing_value with correct_value
+ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+ else
+ # ***NOTE*** #
+ # This probably means this file is not here or it's been modified
+ # unintentionally.
+ # ********** #
+ # echo correct_value to end
+ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
+ fi
+fi
@@ -14005,25 +14005,6 @@ submits to this process.
client violate expectations, and makes system configuration more
fragmented.
CCE-85870-4
-
-sshd_approved_macs=''
-
-
-if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
-
- LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
-else
- touch "/etc/crypto-policies/back-ends/openssh.config"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config"
-
-cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak"
-# Insert at the end of the file
-printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config"
-# Clean up after ourselves.
-rm "/etc/crypto-policies/back-ends/openssh.config.bak"
-
- name: XCCDF Value sshd_approved_macs # promote to variable
set_fact:
sshd_approved_macs: !!str
@@ -14068,6 +14049,25 @@ rm "/etc/crypto-policies/back-ends/openssh.config.bak"
- medium_severity
- reboot_required
- restrict_strategy
+
+
+sshd_approved_macs=''
+
+
+if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
+
+ LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
+else
+ touch "/etc/crypto-policies/back-ends/openssh.config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/crypto-policies/back-ends/openssh.config"
+
+cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak"
+# Insert at the end of the file
+printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config"
+# Clean up after ourselves.
+rm "/etc/crypto-policies/back-ends/openssh.config.bak"
@@ -14115,38 +14115,6 @@ submits to this process.
server violate expectations, and makes system configuration more
fragmented.
CCE-85899-3
-
-sshd_approved_macs=''
-
-
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
-correct_value="-oMACs=${sshd_approved_macs}"
-
-# Test if file exists
-test -f ${CONF_FILE} || touch ${CONF_FILE}
-
-# Ensure CRYPTO_POLICY is not commented out
-sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
-
-grep -q "'${correct_value}'" ${CONF_FILE}
-
-if [[ $? -ne 0 ]]; then
- # We need to get the existing value, using PCRE to maintain same regex
- existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
-
- if [[ ! -z ${existing_value} ]]; then
- # replace existing_value with correct_value
- sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
- else
- # ***NOTE*** #
- # This probably means this file is not here or it's been modified
- # unintentionally.
- # ********** #
- # echo correct_value to end
- echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
- fi
-fi
-
- name: XCCDF Value sshd_approved_macs # promote to variable
set_fact:
sshd_approved_macs: !!str
@@ -14234,6 +14202,38 @@ fi
- medium_severity
- reboot_required
- restrict_strategy
+
+
+sshd_approved_macs=''
+
+
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oMACs=${sshd_approved_macs}"
+
+# Test if file exists
+test -f ${CONF_FILE} || touch ${CONF_FILE}
+
+# Ensure CRYPTO_POLICY is not commented out
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+
+grep -q "'${correct_value}'" ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+ # We need to get the existing value, using PCRE to maintain same regex
+ existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
+
+ if [[ ! -z ${existing_value} ]]; then
+ # replace existing_value with correct_value
+ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+ else
+ # ***NOTE*** #
+ # This probably means this file is not here or it's been modified
+ # unintentionally.
+ # ********** #
+ # echo correct_value to end
+ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
+ fi
+fi
@@ -14288,38 +14288,6 @@ openssl()
SRG-OS-000480-GPOS-00227
This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior.
CCE-82721-2
-
-cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
-# provide a default -rand /dev/random option to openssl commands that
-# support it
-
-# written inefficiently for maximum shell compatibility
-openssl()
-(
- openssl_bin=/usr/bin/openssl
-
- case "$*" in
- # if user specified -rand, honor it
- *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
- esac
-
- cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
- for i in `$openssl_bin list -commands`; do
- if $openssl_bin list -options "$i" | grep -q '^rand '; then
- cmds=" $i $cmds"
- fi
- done
-
- case "$cmds" in
- *\ "$1"\ *)
- cmd="$1"; shift
- exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
- esac
-
- exec $openssl_bin "$@"
-)
-EOM
-
- name: Put a file with shell wrapper to configure OpenSSL to always use strong entropy
copy:
dest: /etc/profile.d/openssl-rand.sh
@@ -14360,6 +14328,38 @@ EOM
- no_reboot_needed
- openssl_use_strong_entropy
- restrict_strategy
+
+
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+)
+EOM
@@ -14699,18 +14699,6 @@ computer viruses, as well as to limit their spread to other systems.
[customizations.services]
enabled = ["nails"]
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask 'nails.service'
-"$SYSTEMCTL_EXEC" start 'nails.service'
-"$SYSTEMCTL_EXEC" enable 'nails.service'
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
include enable_nails
@@ -14747,6 +14735,18 @@ class enable_nails {
- medium_severity
- no_reboot_needed
- service_nails_enabled
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'nails.service'
+"$SYSTEMCTL_EXEC" start 'nails.service'
+"$SYSTEMCTL_EXEC" enable 'nails.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -15591,13 +15591,13 @@ option.
Access to this partition should be restricted.
CCE-83336-8
+
+part /boot
+
[[customizations.filesystem]]
mountpoint = "/boot"
size = 1073741824
-
-
-part /boot
@@ -15622,13 +15622,13 @@ of the program. If the program happened to have a security vulnerability, the at
could continue to exploit the known flaw.
CCE-86282-1
+
+part /dev/shm
+
[[customizations.filesystem]]
mountpoint = "/dev/shm"
size = 2147483648
-
-
-part /dev/shm
@@ -15677,13 +15677,13 @@ setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
CCE-81044-0
+
+part /home
+
[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824
-
-
-part /home
@@ -15703,13 +15703,13 @@ makes it easier to apply restrictions e.g. through the nosuid
CCE-83340-0
+
+part /opt
+
[[customizations.filesystem]]
mountpoint = "/opt"
size = 1073741824
-
-
-part /opt
@@ -15732,13 +15732,13 @@ more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
CCE-83387-1
+
+part /srv
+
[[customizations.filesystem]]
mountpoint = "/srv"
size = 1073741824
-
-
-part /srv
@@ -15784,13 +15784,13 @@ Placing /tmp in its own partition enables the setting of
restrictive mount options, which can help protect programs which use it.
CCE-80851-9
+
+part /tmp
+
[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824
-
-
-part /tmp
@@ -15809,13 +15809,13 @@ Putting it on a separate partition allows limiting its size and applying
restrictions through mount options.
CCE-83343-4
+
+part /usr
+
[[customizations.filesystem]]
mountpoint = "/usr"
size = 5368709120
-
-
-part /usr
@@ -15863,13 +15863,13 @@ It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages.
CCE-80852-7
+
+part /var
+
[[customizations.filesystem]]
mountpoint = "/var"
size = 3221225472
-
-
-part /var
@@ -15947,13 +15947,13 @@ enables better separation between log files
and other files in /var/.
CCE-80853-5
+
+part /var/log
+
[[customizations.filesystem]]
mountpoint = "/var/log"
size = 5368709120
-
-
-part /var/log
@@ -16046,13 +16046,13 @@ auditing cannot be halted due to the partition running out
of space.
CCE-80854-3
+
+part /var/log/audit
+
[[customizations.filesystem]]
mountpoint = "/var/log/audit"
size = 10737418240
-
-
-part /var/log/audit
@@ -16076,13 +16076,13 @@ Placing /var/tmp in its own partition enables the setting
restrictive mount options, which can help protect programs which use it.
CCE-82730-3
+
+part /var/tmp
+
[[customizations.filesystem]]
mountpoint = "/var/tmp"
size = 1073741824
-
-
-part /var/tmp
@@ -16125,24 +16125,8 @@ mode. To do so, run the following command:
A graphical environment is unnecessary for certain types of systems including a virtualization
hypervisor.
CCE-82367-4
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm; then
-
-# CAUTION: This remediation script will remove gdm
-# from the system, and may remove any packages
-# that depend on gdm. Execute this
-# remediation AFTER testing on a non-production
-# system!
-
-if rpm -q --quiet "gdm" ; then
-
- yum remove -y "gdm"
-
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
+
+package --remove=gdm
include remove_gdm
@@ -16184,8 +16168,24 @@ class remove_gdm {
- no_reboot_needed
- package_gdm_removed
-
-package --remove=gdm
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm; then
+
+# CAUTION: This remediation script will remove gdm
+# from the system, and may remove any packages
+# that depend on gdm. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+if rpm -q --quiet "gdm" ; then
+
+ yum remove -y "gdm"
+
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -16214,15 +16214,6 @@ configuration files have to be compliant, and the database needs to be more rece
which gives confidence that it reflects them.
CCE-81003-6
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -16253,6 +16244,15 @@ fi
- medium_disruption
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -16363,68 +16363,6 @@ After the settings have been set, run dconf update.
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*disable-restart-buttons\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)disable-restart-buttons(\s*=)/#\1disable-restart-buttons\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*disable-restart-buttons\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/login-screen/disable-restart-buttons$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/login-screen/disable-restart-buttons$" /etc/dconf/db/gdm.d/
-then
- echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -16501,6 +16439,68 @@ fi
- medium_disruption
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
+DBDIR="/etc/dconf/db/gdm.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*disable-restart-buttons\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)disable-restart-buttons(\s*=)/#\1disable-restart-buttons\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*disable-restart-buttons\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/login-screen/disable-restart-buttons$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/login-screen/disable-restart-buttons$" /etc/dconf/db/gdm.d/
+then
+ echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -16536,68 +16536,6 @@ with physical access to the system to quickly enumerate known user accounts
without logging in.
CCE-86195-5
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/
-then
- echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -16674,51 +16612,7 @@ fi
- no_reboot_needed
- unknown_strategy
-
-
-
-
-
-
-
-
- Enable the GNOME3 Login Smartcard Authentication
- In the default graphical environment, smart card authentication
-can be enabled on the login screen by setting enable-smartcard-authentication
-to true.
-
-To enable, add or edit enable-smartcard-authentication to
-/etc/dconf/db/gdm.d/00-security-settings. For example:
-[org/gnome/login-screen]
-enable-smartcard-authentication=true
-Once the setting has been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/login-screen/enable-smartcard-authentication
-After the settings have been set, run dconf update.
- CCI-000765
- CCI-000766
- CCI-000767
- CCI-000768
- CCI-000771
- CCI-000772
- CCI-000884
- CCI-001948
- CCI-001954
- IA-2(3)
- IA-2(4)
- IA-2(8)
- IA-2(9)
- IA-2(11)
- Req-8.3
- SRG-OS-000375-GPOS-00160
- SRG-OS-000376-GPOS-00161
- SRG-OS-000377-GPOS-00162
- Smart card login provides two-factor authentication stronger than
-that provided by a username and password combination. Smart cards leverage PKI
-(public key infrastructure) in order to provide and verify credentials.
-
- # Remediation is applicable only in certain platforms
+ # Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
@@ -16734,10 +16628,10 @@ mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${SETTINGSFILES[@]}"
+ if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
then
- sed -Ei "s/(^\s*)enable-smartcard-authentication(\s*=)/#\1enable-smartcard-authentication\2/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
fi
fi
@@ -16748,16 +16642,16 @@ then
fi
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${DCONFFILE}"
+if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}"
then
- sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${DCONFFILE}"
+ sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${DCONFFILE}"
+ sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" \
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
@@ -16766,12 +16660,12 @@ mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
- sed -i -E "s|^/org/gnome/login-screen/enable-smartcard-authentication$|#&|" "${LOCKFILES[@]}"
+ sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}"
fi
-if ! grep -qr "^/org/gnome/login-screen/enable-smartcard-authentication$" /etc/dconf/db/gdm.d/
+if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/
then
- echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
+ echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
dconf update
@@ -16780,6 +16674,50 @@ else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+
+
+
+
+
+
+
+ Enable the GNOME3 Login Smartcard Authentication
+ In the default graphical environment, smart card authentication
+can be enabled on the login screen by setting enable-smartcard-authentication
+to true.
+
+To enable, add or edit enable-smartcard-authentication to
+/etc/dconf/db/gdm.d/00-security-settings. For example:
+[org/gnome/login-screen]
+enable-smartcard-authentication=true
+Once the setting has been added, add a lock to
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/login-screen/enable-smartcard-authentication
+After the settings have been set, run dconf update.
+ CCI-000765
+ CCI-000766
+ CCI-000767
+ CCI-000768
+ CCI-000771
+ CCI-000772
+ CCI-000884
+ CCI-001948
+ CCI-001954
+ IA-2(3)
+ IA-2(4)
+ IA-2(8)
+ IA-2(9)
+ IA-2(11)
+ Req-8.3
+ SRG-OS-000375-GPOS-00160
+ SRG-OS-000376-GPOS-00161
+ SRG-OS-000377-GPOS-00162
+ Smart card login provides two-factor authentication stronger than
+that provided by a username and password combination. Smart cards leverage PKI
+(public key infrastructure) in order to provide and verify credentials.
+
- name: Gather the package facts
package_facts:
manager: auto
@@ -16864,92 +16802,60 @@ fi
- no_reboot_needed
- unknown_strategy
-
-
-
-
-
-
-
-
- Enable the GNOME3 Screen Locking On Smartcard Removal
- In the default graphical environment, screen locking on smartcard removal
-can be enabled by setting removal-action
-to 'lock-screen'.
-
-To enable, add or edit removal-action to
-/etc/dconf/db/local.d/00-security-settings. For example:
-[org/gnome/settings-daemon/peripherals/smartcard]
-removal-action='lock-screen'
-Once the setting has been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/settings-daemon/peripherals/smartcard/removal-action
-After the settings have been set, run dconf update.
- CCI-000056
- CCI-000058
- SRG-OS-000028-GPOS-00009
- SRG-OS-000030-GPOS-00011
- RHEL-08-020050
- SV-230351r792899_rule
- Locking the screen automatically when removing the smartcard can
-prevent undesired access to system.
-
- CCE-83910-0
- # Remediation is applicable only in certain platforms
+ # Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
+DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}"
+ if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${SETTINGSFILES[@]}"
then
- sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)enable-smartcard-authentication(\s*=)/#\1enable-smartcard-authentication\2/g" "${SETTINGSFILES[@]}"
fi
fi
[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
then
- printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE}
+ printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
fi
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")"
-if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${DCONFFILE}"
then
- sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}"
+ sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}"
+ sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
- sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}"
+ sed -i -E "s|^/org/gnome/login-screen/enable-smartcard-authentication$|#&|" "${LOCKFILES[@]}"
fi
-if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/
+if ! grep -qr "^/org/gnome/login-screen/enable-smartcard-authentication$" /etc/dconf/db/gdm.d/
then
- echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+ echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
dconf update
@@ -16958,6 +16864,38 @@ else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+
+
+
+
+
+
+
+ Enable the GNOME3 Screen Locking On Smartcard Removal
+ In the default graphical environment, screen locking on smartcard removal
+can be enabled by setting removal-action
+to 'lock-screen'.
+
+To enable, add or edit removal-action to
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/settings-daemon/peripherals/smartcard]
+removal-action='lock-screen'
+Once the setting has been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/settings-daemon/peripherals/smartcard/removal-action
+After the settings have been set, run dconf update.
+ CCI-000056
+ CCI-000058
+ SRG-OS-000028-GPOS-00009
+ SRG-OS-000030-GPOS-00011
+ RHEL-08-020050
+ SV-230351r792899_rule
+ Locking the screen automatically when removing the smartcard can
+prevent undesired access to system.
+
+ CCE-83910-0
- name: Gather the package facts
package_facts:
manager: auto
@@ -17111,90 +17049,60 @@ fi
- no_reboot_needed
- unknown_strategy
-
-
-
-
-
-
-
-
- Set the GNOME3 Login Number of Failures
- In the default graphical environment, the GNOME3 login
-screen and be configured to restart the authentication process after
-a configured number of attempts. This can be configured by setting
-allowed-failures to 3 or less.
-
-To enable, add or edit allowed-failures to
-/etc/dconf/db/gdm.d/00-security-settings. For example:
-[org/gnome/login-screen]
-allowed-failures=3
-Once the setting has been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/login-screen/allowed-failures
-After the settings have been set, run dconf update.
- 3.1.8
- FMT_MOF_EXT.1
- Setting the password retry prompts that are permitted on a per-session basis to a low value
-requires some software, such as SSH, to re-connect. This can slow down and
-draw additional attention to some types of password-guessing attacks.
-
- CCE-80771-9
- # Remediation is applicable only in certain platforms
+ # Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}"
+ if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}"
then
- sed -Ei "s/(^\s*)allowed-failures(\s*=)/#\1allowed-failures\2/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}"
fi
fi
[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}"
then
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
+ printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE}
fi
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")"
-if grep -q "^\\s*allowed-failures\\s*=" "${DCONFFILE}"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")"
+if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}"
then
- sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${DCONFFILE}"
+ sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${DCONFFILE}"
+ sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
+LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
- sed -i -E "s|^/org/gnome/login-screen/allowed-failures$|#&|" "${LOCKFILES[@]}"
+ sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}"
fi
-if ! grep -qr "^/org/gnome/login-screen/allowed-failures$" /etc/dconf/db/gdm.d/
+if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/
then
- echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
+ echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
@@ -17203,6 +17111,36 @@ else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+
+
+
+
+
+
+
+ Set the GNOME3 Login Number of Failures
+ In the default graphical environment, the GNOME3 login
+screen and be configured to restart the authentication process after
+a configured number of attempts. This can be configured by setting
+allowed-failures to 3 or less.
+
+To enable, add or edit allowed-failures to
+/etc/dconf/db/gdm.d/00-security-settings. For example:
+[org/gnome/login-screen]
+allowed-failures=3
+Once the setting has been added, add a lock to
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/login-screen/allowed-failures
+After the settings have been set, run dconf update.
+ 3.1.8
+ FMT_MOF_EXT.1
+ Setting the password retry prompts that are permitted on a per-session basis to a low value
+requires some software, such as SSH, to re-connect. This can slow down and
+draw additional attention to some types of password-guessing attacks.
+
+ CCE-80771-9
- name: Gather the package facts
package_facts:
manager: auto
@@ -17270,6 +17208,68 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
+DBDIR="/etc/dconf/db/gdm.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)allowed-failures(\s*=)/#\1allowed-failures\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")"
+if grep -q "^\\s*allowed-failures\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/login-screen/allowed-failures$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/login-screen/allowed-failures$" /etc/dconf/db/gdm.d/
+then
+ echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -17318,24 +17318,6 @@ AutomaticLoginEnable=false
system security.
CCE-80823-8
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if rpm --quiet -q gdm
-then
- if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf
- then
- sed -i "/^\[daemon\]/a \
- AutomaticLoginEnable=False" /etc/gdm/custom.conf
- else
- sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf
- fi
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -17379,6 +17361,24 @@ fi
- medium_disruption
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if rpm --quiet -q gdm
+then
+ if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf
+ then
+ sed -i "/^\[daemon\]/a \
+ AutomaticLoginEnable=False" /etc/gdm/custom.conf
+ else
+ sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -17426,24 +17426,6 @@ TimedLoginEnable=false
system security.
CCE-80824-6
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-if rpm --quiet -q gdm
-then
- if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf
- then
- sed -i "/^\[daemon\]/a \
- TimedLoginEnable=false" /etc/gdm/custom.conf
- else
- sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=false/g" /etc/gdm/custom.conf
- fi
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -17487,6 +17469,24 @@ fi
- medium_disruption
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+if rpm --quiet -q gdm
+then
+ if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf
+ then
+ sed -i "/^\[daemon\]/a \
+ TimedLoginEnable=false" /etc/gdm/custom.conf
+ else
+ sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=false/g" /etc/gdm/custom.conf
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -17512,28 +17512,6 @@ remote session. If a privileged user were to login using XDMCP, the
privileged user password could be compromised due to typed XEvents
and keystrokes will traversing over the network in clear text.
CCE-86007-2
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm; then
-
-# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set
-# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there
-if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then
-
- sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm/custom.conf'
-elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then
- sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm/custom.conf'
-else
- if test -d "/etc/gdm"; then
- printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm/custom.conf'
- else
- echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2
- fi
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -17563,6 +17541,28 @@ fi
- medium_disruption
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm; then
+
+# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set
+# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there
+if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then
+
+ sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm/custom.conf'
+elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then
+ sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm/custom.conf'
+else
+ if test -d "/etc/gdm"; then
+ printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm/custom.conf'
+ else
+ echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -17638,68 +17638,6 @@ It will, however, also prevent desktop users from legitimate use
of removable media.
CCE-89904-7
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)automount(\s*=)/#\1automount\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
-if grep -q "^\\s*automount\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/media-handling/automount$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/media-handling/automount$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -17783,6 +17721,68 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)automount(\s*=)/#\1automount\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
+if grep -q "^\\s*automount\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/media-handling/automount$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/media-handling/automount$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -17855,68 +17855,6 @@ It will, however, also prevent desktop users from legitimate use
of removable media.
CCE-83693-2
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)automount-open(\s*=)/#\1automount-open\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
-if grep -q "^\\s*automount-open\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/media-handling/automount-open$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/media-handling/automount-open$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -18000,6 +17938,68 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)automount-open(\s*=)/#\1automount-open\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
+if grep -q "^\\s*automount-open\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/media-handling/automount-open$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/media-handling/automount-open$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -18070,68 +18070,6 @@ It will, however, also prevent desktop users from legitimate use
of removable media.
CCE-83742-7
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -18211,6 +18149,68 @@ fi
- medium_disruption
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -18309,68 +18309,6 @@ file to exploit this flaw. Assuming the attacker could place the malicious file
malicious file would exploit the thumbnailer with the potential for malicious code execution. It
is best to disable these thumbnailer applications unless they are explicitly required.
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*disable-all\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)disable-all(\s*=)/#\1disable-all\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/thumbnailers\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*disable-all\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/thumbnailers/disable-all$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/thumbnailers/disable-all$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -18443,42 +18381,13 @@ fi
- unknown_severity
- unknown_strategy
-
-
-
-
-
-
-
-
-
- GNOME Network Settings
- GNOME network settings that apply to the graphical interface.
-
- Disable WIFI Network Connection Creation in GNOME3
- GNOME allows users to create ad-hoc wireless connections through the
-NetworkManager applet. Wireless connections should be disabled by
-adding or setting disable-wifi-create to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
-[org/gnome/nm-applet]
-disable-wifi-create=true
-
-Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/nm-applet/disable-wifi-create
-After the settings have been set, run dconf update.
- 3.1.16
- Wireless network connections should not be allowed to be configured by general
-users on a given system as it could open the system to backdoor attacks.
-
- # Remediation is applicable only in certain platforms
+ # Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" \
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
@@ -18488,30 +18397,30 @@ mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}"
+ if grep -q "^\\s*disable-all\\s*=" "${SETTINGSFILES[@]}"
then
- sed -Ei "s/(^\s*)disable-wifi-create(\s*=)/#\1disable-wifi-create\2/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)disable-all(\s*=)/#\1disable-all\2/g" "${SETTINGSFILES[@]}"
fi
fi
[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/nm-applet\\]" "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/thumbnailers\\]" "${DCONFFILE}"
then
- printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE}
+ printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE}
fi
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*disable-wifi-create\\s*=" "${DCONFFILE}"
+if grep -q "^\\s*disable-all\\s*=" "${DCONFFILE}"
then
- sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${DCONFFILE}"
+ sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${DCONFFILE}"
+ sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" \
+LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
@@ -18520,12 +18429,12 @@ mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
- sed -i -E "s|^/org/gnome/nm-applet/disable-wifi-create$|#&|" "${LOCKFILES[@]}"
+ sed -i -E "s|^/org/gnome/desktop/thumbnailers/disable-all$|#&|" "${LOCKFILES[@]}"
fi
-if ! grep -qr "^/org/gnome/nm-applet/disable-wifi-create$" /etc/dconf/db/local.d/
+if ! grep -qr "^/org/gnome/desktop/thumbnailers/disable-all$" /etc/dconf/db/local.d/
then
- echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+ echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
@@ -18534,6 +18443,35 @@ else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+
+
+
+
+
+
+
+
+ GNOME Network Settings
+ GNOME network settings that apply to the graphical interface.
+
+ Disable WIFI Network Connection Creation in GNOME3
+ GNOME allows users to create ad-hoc wireless connections through the
+NetworkManager applet. Wireless connections should be disabled by
+adding or setting disable-wifi-create to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/nm-applet]
+disable-wifi-create=true
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/nm-applet/disable-wifi-create
+After the settings have been set, run dconf update.
+ 3.1.16
+ Wireless network connections should not be allowed to be configured by general
+users on a given system as it could open the system to backdoor attacks.
+
- name: Gather the package facts
package_facts:
manager: auto
@@ -18598,34 +18536,7 @@ fi
- no_reboot_needed
- unknown_strategy
-
-
-
-
-
-
-
-
- Disable WIFI Network Notification in GNOME3
- By default, GNOME disables WIFI notification. This should be permanently set
-so that users do not connect to a wireless network when the system finds one.
-While useful for mobile devices, this setting should be disabled for all other systems.
-To configure the system to disable the WIFI notication, add or set
-suppress-wireless-networks-available to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
-[org/gnome/nm-applet]
-suppress-wireless-networks-available=true
-
-Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/nm-applet/suppress-wireless-networks-available
-After the settings have been set, run dconf update.
- 3.1.16
- Wireless network connections should not be allowed to be configured by general
-users on a given system as it could open the system to backdoor attacks.
-
- # Remediation is applicable only in certain platforms
+ # Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
@@ -18641,10 +18552,10 @@ mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}"
+ if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}"
then
- sed -Ei "s/(^\s*)suppress-wireless-networks-available(\s*=)/#\1suppress-wireless-networks-available\2/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)disable-wifi-create(\s*=)/#\1disable-wifi-create\2/g" "${SETTINGSFILES[@]}"
fi
fi
@@ -18655,16 +18566,16 @@ then
fi
escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${DCONFFILE}"
+if grep -q "^\\s*disable-wifi-create\\s*=" "${DCONFFILE}"
then
- sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${DCONFFILE}"
+ sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${DCONFFILE}"
+ sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" \
+LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
@@ -18673,12 +18584,12 @@ mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
- sed -i -E "s|^/org/gnome/nm-applet/suppress-wireless-networks-available$|#&|" "${LOCKFILES[@]}"
+ sed -i -E "s|^/org/gnome/nm-applet/disable-wifi-create$|#&|" "${LOCKFILES[@]}"
fi
-if ! grep -qr "^/org/gnome/nm-applet/suppress-wireless-networks-available$" /etc/dconf/db/local.d/
+if ! grep -qr "^/org/gnome/nm-applet/disable-wifi-create$" /etc/dconf/db/local.d/
then
- echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+ echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
@@ -18687,6 +18598,33 @@ else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+
+
+
+
+
+
+
+ Disable WIFI Network Notification in GNOME3
+ By default, GNOME disables WIFI notification. This should be permanently set
+so that users do not connect to a wireless network when the system finds one.
+While useful for mobile devices, this setting should be disabled for all other systems.
+To configure the system to disable the WIFI notication, add or set
+suppress-wireless-networks-available to true in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/nm-applet]
+suppress-wireless-networks-available=true
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/nm-applet/suppress-wireless-networks-available
+After the settings have been set, run dconf update.
+ 3.1.16
+ Wireless network connections should not be allowed to be configured by general
+users on a given system as it could open the system to backdoor attacks.
+
- name: Gather the package facts
package_facts:
manager: auto
@@ -18751,49 +18689,13 @@ fi
- no_reboot_needed
- unknown_strategy
-
-
-
-
-
-
-
-
-
- GNOME Remote Access Settings
- GNOME remote access settings that apply to the graphical interface.
-
- Require Credential Prompting for Remote Access in GNOME3
- By default, GNOME does not require credentials when using Vino for
-remote access. To configure the system to require remote credentials, add or set
-authentication-methods to ['vnc'] in
-/etc/dconf/db/local.d/00-security-settings. For example:
-[org/gnome/Vino]
-authentication-methods=['vnc']
-
-Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/Vino/authentication-methods
-After the settings have been set, run dconf update.
- 3.1.12
- 164.308(a)(4)(i)
- 164.308(b)(1)
- 164.308(b)(3)
- 164.310(b)
- 164.312(e)(1)
- 164.312(e)(2)(ii)
- Username and password prompting is required for remote access. Otherwise, non-authorized
-and nefarious users can access the system freely.
-
- CCE-80772-7
- # Remediation is applicable only in certain platforms
+ # Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
@@ -18803,30 +18705,30 @@ mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
+ if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}"
then
- sed -Ei "s/(^\s*)authentication-methods(\s*=)/#\1authentication-methods\2/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)suppress-wireless-networks-available(\s*=)/#\1suppress-wireless-networks-available\2/g" "${SETTINGSFILES[@]}"
fi
fi
[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/nm-applet\\]" "${DCONFFILE}"
then
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
+ printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE}
fi
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
-if grep -q "^\\s*authentication-methods\\s*=" "${DCONFFILE}"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${DCONFFILE}"
then
- sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${DCONFFILE}"
+ sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${DCONFFILE}"
+ sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" \
+LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
@@ -18835,12 +18737,12 @@ mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
- sed -i -E "s|^/org/gnome/Vino/authentication-methods$|#&|" "${LOCKFILES[@]}"
+ sed -i -E "s|^/org/gnome/nm-applet/suppress-wireless-networks-available$|#&|" "${LOCKFILES[@]}"
fi
-if ! grep -qr "^/org/gnome/Vino/authentication-methods$" /etc/dconf/db/local.d/
+if ! grep -qr "^/org/gnome/nm-applet/suppress-wireless-networks-available$" /etc/dconf/db/local.d/
then
- echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+ echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
@@ -18849,6 +18751,42 @@ else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+
+
+
+
+
+
+
+
+ GNOME Remote Access Settings
+ GNOME remote access settings that apply to the graphical interface.
+
+ Require Credential Prompting for Remote Access in GNOME3
+ By default, GNOME does not require credentials when using Vino for
+remote access. To configure the system to require remote credentials, add or set
+authentication-methods to ['vnc'] in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/Vino]
+authentication-methods=['vnc']
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/Vino/authentication-methods
+After the settings have been set, run dconf update.
+ 3.1.12
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ Username and password prompting is required for remote access. Otherwise, non-authorized
+and nefarious users can access the system freely.
+
+ CCE-80772-7
- name: Gather the package facts
package_facts:
manager: auto
@@ -18916,6 +18854,68 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)authentication-methods(\s*=)/#\1authentication-methods\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
+if grep -q "^\\s*authentication-methods\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/Vino/authentication-methods$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/Vino/authentication-methods$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -18990,68 +18990,6 @@ After the settings have been set, run dconf update.
CCE-80773-5
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*require-encryption\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)require-encryption(\s*=)/#\1require-encryption\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*require-encryption\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/Vino/require-encryption$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/Vino/require-encryption$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -19131,6 +19069,68 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*require-encryption\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)require-encryption(\s*=)/#\1require-encryption\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*require-encryption\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/Vino/require-encryption$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/Vino/require-encryption$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -19241,68 +19241,6 @@ login session does not have administrator rights and the display station is loca
controlled-access area.
CCE-80774-3
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)idle-activation-enabled(\s*=)/#\1idle-activation-enabled\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*idle-activation-enabled\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -19390,6 +19328,68 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)idle-activation-enabled(\s*=)/#\1idle-activation-enabled\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*idle-activation-enabled\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -19446,48 +19446,21 @@ After the settings have been set, run dconf update.A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.
CCE-83858-1
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm; then
-
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- - name: Gather the package facts
- package_facts:
- manager: auto
- tags:
- - CCE-83858-1
- - CJIS-5.5.5
- - NIST-800-171-3.1.10
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.8
- - dconf_gnome_screensaver_idle_activation_locked
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - unknown_strategy
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83858-1
+ - CJIS-5.5.5
+ - NIST-800-171-3.1.10
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.1.8
+ - dconf_gnome_screensaver_idle_activation_locked
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
- name: Prevent user modification of GNOME Screensaver idle-activation-enabled
lineinfile:
@@ -19524,6 +19497,33 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm; then
+
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -19592,52 +19592,6 @@ system session prior to vacating the vicinity, GNOME3 can be configured to ident
a user's session has idled and take action to initiate a session lock.
CCE-80775-0
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-inactivity_timeout_value=''
-
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")"
-if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -19709,6 +19663,52 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+inactivity_timeout_value=''
+
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")"
+if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -19774,52 +19774,6 @@ After the settings have been set, run dconf update.
CCE-80776-8
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-var_screensaver_lock_delay=''
-
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")"
-if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -19888,6 +19842,52 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+var_screensaver_lock_delay=''
+
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")"
+if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -19958,68 +19958,6 @@ After the settings have been set, run dconf update.
CCE-80777-6
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -20225,6 +20163,68 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -20285,33 +20285,6 @@ After the settings have been set, run dconf update.A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.
CCE-87261-4
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm; then
-
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -20366,6 +20339,33 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm; then
+
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -20434,68 +20434,6 @@ After the settings have been set, run dconf update.
CCE-80778-4
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)picture-uri(\s*=)/#\1picture-uri\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")"
-if grep -q "^\\s*picture-uri\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/screensaver/picture-uri$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/screensaver/picture-uri$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -20588,34 +20526,7 @@ fi
- no_reboot_needed
- unknown_strategy
-
-
-
-
-
-
-
-
- Disable Full User Name on Splash Shield
- By default when the screen is locked, the splash shield will show the user's
-full name. This should be disabled to prevent casual observers from seeing
-who has access to the system. This can be disabled by adding or setting
-show-full-name-in-top-bar to false in
-/etc/dconf/db/local.d/00-security-settings. For example:
-[org/gnome/desktop/screensaver]
-show-full-name-in-top-bar=false
-
-Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
-For example:
-/org/gnome/desktop/screensaver/show-full-name-in-top-bar
-After the settings have been set, run dconf update.
- FMT_MOF_EXT.1
- Setting the splash screen to not reveal the logged in user's name
-conceals who has access to the system from passersby.
-
- CCE-80779-2
- # Remediation is applicable only in certain platforms
+ # Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
@@ -20631,10 +20542,10 @@ mkdir -p "${DBDIR}"
# Comment out the configurations in databases different from the target one
if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}"
+ if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}"
then
- sed -Ei "s/(^\s*)show-full-name-in-top-bar(\s*=)/#\1show-full-name-in-top-bar\2/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)picture-uri(\s*=)/#\1picture-uri\2/g" "${SETTINGSFILES[@]}"
fi
fi
@@ -20644,17 +20555,17 @@ then
printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
fi
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
-if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${DCONFFILE}"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")"
+if grep -q "^\\s*picture-uri\\s*=" "${DCONFFILE}"
then
- sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${DCONFFILE}"
+ sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${DCONFFILE}"
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" \
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" \
| grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
@@ -20663,12 +20574,12 @@ mkdir -p "${LOCKSFOLDER}"
# Comment out the configurations in databases different from the target one
if [[ ! -z "${LOCKFILES}" ]]
then
- sed -i -E "s|^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$|#&|" "${LOCKFILES[@]}"
+ sed -i -E "s|^/org/gnome/desktop/screensaver/picture-uri$|#&|" "${LOCKFILES[@]}"
fi
-if ! grep -qr "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" /etc/dconf/db/local.d/
+if ! grep -qr "^/org/gnome/desktop/screensaver/picture-uri$" /etc/dconf/db/local.d/
then
- echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+ echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
dconf update
@@ -20677,6 +20588,33 @@ else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+
+
+
+
+
+
+
+ Disable Full User Name on Splash Shield
+ By default when the screen is locked, the splash shield will show the user's
+full name. This should be disabled to prevent casual observers from seeing
+who has access to the system. This can be disabled by adding or setting
+show-full-name-in-top-bar to false in
+/etc/dconf/db/local.d/00-security-settings. For example:
+[org/gnome/desktop/screensaver]
+show-full-name-in-top-bar=false
+
+Once the settings have been added, add a lock to
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+For example:
+/org/gnome/desktop/screensaver/show-full-name-in-top-bar
+After the settings have been set, run dconf update.
+ FMT_MOF_EXT.1
+ Setting the splash screen to not reveal the logged in user's name
+conceals who has access to the system from passersby.
+
+ CCE-80779-2
- name: Gather the package facts
package_facts:
manager: auto
@@ -20740,6 +20678,68 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)show-full-name-in-top-bar(\s*=)/#\1show-full-name-in-top-bar\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
+if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -20802,33 +20802,6 @@ GNOME desktops can be configured to identify when a user's session has idled and
session lock. As such, users should not be allowed to change session settings.
CCE-80780-0
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -20881,6 +20854,33 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -20945,33 +20945,6 @@ GNOME desktops can be configured to identify when a user's session has idled and
session lock. As such, users should not be allowed to change session settings.
CCE-80781-8
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -21030,6 +21003,33 @@ fi
- medium_severity
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/session/idle-delay$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/session/idle-delay$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -21117,68 +21117,6 @@ the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
CCE-84028-0
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)logout(\s*=)/#\1logout\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")"
-if grep -q "^\\s*logout\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/settings-daemon/plugins/media-keys/logout$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/settings-daemon/plugins/media-keys/logout$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -21262,6 +21200,68 @@ fi
- medium_disruption
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)logout(\s*=)/#\1logout\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")"
+if grep -q "^\\s*logout\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/settings-daemon/plugins/media-keys/logout$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/settings-daemon/plugins/media-keys/logout$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -21294,6 +21294,101 @@ After the settings have been set, run dconf update.
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - dconf_gnome_disable_geolocation
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
+
+- name: Disable Geolocation in GNOME3 - location tracking
+ ini_file:
+ dest: /etc/dconf/db/local.d/00-security-settings
+ section: org/gnome/system/location
+ option: enabled
+ value: 'false'
+ create: true
+ no_extra_spaces: true
+ when:
+ - '"gdm" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - dconf_gnome_disable_geolocation
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
+
+- name: Disable Geolocation in GNOME3 - clock location tracking
+ ini_file:
+ dest: /etc/dconf/db/local.d/00-security-settings
+ section: org/gnome/clocks
+ option: gelocation
+ value: 'false'
+ create: true
+ when:
+ - '"gdm" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - dconf_gnome_disable_geolocation
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
+
+- name: Prevent user modification of GNOME geolocation - location tracking
+ lineinfile:
+ path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+ regexp: ^/org/gnome/system/location/enabled$
+ line: /org/gnome/system/location/enabled
+ create: true
+ when:
+ - '"gdm" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - dconf_gnome_disable_geolocation
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
+
+- name: Prevent user modification of GNOME geolocation - clock location tracking
+ lineinfile:
+ path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+ regexp: ^/org/gnome/clocks/geolocation$
+ line: /org/gnome/clocks/geolocation
+ create: true
+ when:
+ - '"gdm" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - dconf_gnome_disable_geolocation
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
+
+- name: Dconf Update
+ command: dconf update
+ when:
+ - '"gdm" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - dconf_gnome_disable_geolocation
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - no_reboot_needed
+ - unknown_strategy
+
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
@@ -21409,101 +21504,6 @@ dconf update
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
-
- - name: Gather the package facts
- package_facts:
- manager: auto
- tags:
- - dconf_gnome_disable_geolocation
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - unknown_strategy
-
-- name: Disable Geolocation in GNOME3 - location tracking
- ini_file:
- dest: /etc/dconf/db/local.d/00-security-settings
- section: org/gnome/system/location
- option: enabled
- value: 'false'
- create: true
- no_extra_spaces: true
- when:
- - '"gdm" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - dconf_gnome_disable_geolocation
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - unknown_strategy
-
-- name: Disable Geolocation in GNOME3 - clock location tracking
- ini_file:
- dest: /etc/dconf/db/local.d/00-security-settings
- section: org/gnome/clocks
- option: gelocation
- value: 'false'
- create: true
- when:
- - '"gdm" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - dconf_gnome_disable_geolocation
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - unknown_strategy
-
-- name: Prevent user modification of GNOME geolocation - location tracking
- lineinfile:
- path: /etc/dconf/db/local.d/locks/00-security-settings-lock
- regexp: ^/org/gnome/system/location/enabled$
- line: /org/gnome/system/location/enabled
- create: true
- when:
- - '"gdm" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - dconf_gnome_disable_geolocation
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - unknown_strategy
-
-- name: Prevent user modification of GNOME geolocation - clock location tracking
- lineinfile:
- path: /etc/dconf/db/local.d/locks/00-security-settings-lock
- regexp: ^/org/gnome/clocks/geolocation$
- line: /org/gnome/clocks/geolocation
- create: true
- when:
- - '"gdm" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - dconf_gnome_disable_geolocation
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - unknown_strategy
-
-- name: Dconf Update
- command: dconf update
- when:
- - '"gdm" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- tags:
- - dconf_gnome_disable_geolocation
- - low_complexity
- - medium_disruption
- - medium_severity
- - no_reboot_needed
- - unknown_strategy
@@ -21562,68 +21562,6 @@ unintended configuration changes as well as a nefarious user the capability to m
changes such as adding new accounts, etc.
CCE-80769-3
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
-DBDIR="/etc/dconf/db/local.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
- if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}"
- then
-
- sed -Ei "s/(^\s*)user-administration-disabled(\s*=)/#\1user-administration-disabled\2/g" "${SETTINGSFILES[@]}"
- fi
-fi
-
-[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
-if ! grep -q "\\[org/gnome/desktop/lockdown\\]" "${DCONFFILE}"
-then
- printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE}
-fi
-
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
-if grep -q "^\\s*user-administration-disabled\\s*=" "${DCONFFILE}"
-then
- sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${DCONFFILE}"
- else
- sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${DCONFFILE}"
-fi
-
-dconf update
-# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" \
- | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
-LOCKSFOLDER="/etc/dconf/db/local.d/locks"
-
-mkdir -p "${LOCKSFOLDER}"
-
-# Comment out the configurations in databases different from the target one
-if [[ ! -z "${LOCKFILES}" ]]
-then
- sed -i -E "s|^/org/gnome/desktop/lockdown/user-administration-disabled$|#&|" "${LOCKFILES[@]}"
-fi
-
-if ! grep -qr "^/org/gnome/desktop/lockdown/user-administration-disabled$" /etc/dconf/db/local.d/
-then
- echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
-fi
-
-dconf update
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -21775,6 +21713,68 @@ fi
- medium_disruption
- no_reboot_needed
- unknown_strategy
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Check for setting in any of the DConf db directories
+# If files contain ibus or distro, ignore them.
+# The assignment assumes that individual filenames don't contain :
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
+DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
+DBDIR="/etc/dconf/db/local.d"
+
+mkdir -p "${DBDIR}"
+
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
+then
+ if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}"
+ then
+
+ sed -Ei "s/(^\s*)user-administration-disabled(\s*=)/#\1user-administration-disabled\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/lockdown\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*user-administration-disabled\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${DCONFFILE}"
+ else
+ sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${DCONFFILE}"
+fi
+
+dconf update
+# Check for setting in any of the DConf db directories
+LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
+LOCKSFOLDER="/etc/dconf/db/local.d/locks"
+
+mkdir -p "${LOCKSFOLDER}"
+
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/lockdown/user-administration-disabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/lockdown/user-administration-disabled$" /etc/dconf/db/local.d/
+then
+ echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
+fi
+
+dconf update
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -21870,21 +21870,13 @@ is to give as few privileges as possible but still allow system users to
get their work done.
CCE-82214-8
+
+package --add=sudo
+
[[packages]]
name = "sudo"
version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "sudo" ; then
- yum install -y "sudo"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
include install_sudo
@@ -21910,8 +21902,16 @@ class install_sudo {
- no_reboot_needed
- package_sudo_installed
-
-package --add=sudo
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "sudo" ; then
+ yum install -y "sudo"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -21932,6 +21932,21 @@ in /etc/sudoers.d/.
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information.
CCE-83820-1
+ - name: Ensure env_reset is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\benv_reset\b.*$
+ line: Defaults env_reset
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - CCE-83820-1
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_env_reset
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -21952,21 +21967,6 @@ else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
-
- - name: Ensure env_reset is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\benv_reset\b.*$
- line: Defaults env_reset
- validate: /usr/sbin/visudo -cf %s
- tags:
- - CCE-83820-1
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_env_reset
@@ -21987,6 +21987,21 @@ in /etc/sudoers.d/.
Ignoring the commands in the user's current directory prevents an attacker from executing commands
downloaded locally.
CCE-83810-2
+ - name: Ensure ignore_dot is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bignore_dot\b.*$
+ line: Defaults ignore_dot
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - CCE-83810-2
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_ignore_dot
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -22007,21 +22022,6 @@ else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
-
- - name: Ensure ignore_dot is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bignore_dot\b.*$
- line: Defaults ignore_dot
- validate: /usr/sbin/visudo -cf %s
- tags:
- - CCE-83810-2
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_ignore_dot
@@ -22041,6 +22041,21 @@ in /etc/sudoers.d/.
Restricting the capability of sudo allowed commands to execute sub-commands
prevents users from running programs with privileges they wouldn't have otherwise.
CCE-83747-6
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - CCE-83747-6
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -22061,21 +22076,6 @@ else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
-
- - name: Ensure noexec is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\bnoexec\b.*$
- line: Defaults noexec
- validate: /usr/sbin/visudo -cf %s
- tags:
- - CCE-83747-6
- - high_severity
- - low_complexity
- - low_disruption
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_noexec
@@ -22095,38 +22095,6 @@ The passwd_timeout should be configured by making sure that the
in /etc/sudoers.d/.
Reducing the time sudo waits for a a password reduces the time the process is exposed.
CCE-83964-7
-
-
-var_sudo_passwd_timeout=''
-
-
-if /usr/sbin/visudo -qcf /etc/sudoers; then
- cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults[\s]*\bpasswd_timeout=\w+\b\b.*$' /etc/sudoers; then
- # sudoers file doesn't define Option passwd_timeout
- echo "Defaults passwd_timeout=${var_sudo_passwd_timeout}" >> /etc/sudoers
- else
- # sudoers file defines Option passwd_timeout, remediate if appropriate value is not set
- if ! grep -P "^[\s]*Defaults.*\bpasswd_timeout=${var_sudo_passwd_timeout}\b.*$" /etc/sudoers; then
-
- escaped_variable=${var_sudo_passwd_timeout//$'/'/$'\/'}
- sed -Ei "s/(^[\s]*Defaults.*\bpasswd_timeout=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
- fi
- fi
-
- # Check validity of sudoers and cleanup bak
- if /usr/sbin/visudo -qcf /etc/sudoers; then
- rm -f /etc/sudoers.bak
- else
- echo "Fail to validate remediated /etc/sudoers, reverting to original file."
- mv /etc/sudoers.bak /etc/sudoers
- false
- fi
-else
- echo "Skipping remediation, /etc/sudoers failed to validate"
- false
-fi
-
- name: XCCDF Value var_sudo_passwd_timeout # promote to variable
set_fact:
var_sudo_passwd_timeout: !!str
@@ -22164,6 +22132,38 @@ fi
- no_reboot_needed
- restrict_strategy
- sudo_add_passwd_timeout
+
+
+
+var_sudo_passwd_timeout=''
+
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults[\s]*\bpasswd_timeout=\w+\b\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option passwd_timeout
+ echo "Defaults passwd_timeout=${var_sudo_passwd_timeout}" >> /etc/sudoers
+ else
+ # sudoers file defines Option passwd_timeout, remediate if appropriate value is not set
+ if ! grep -P "^[\s]*Defaults.*\bpasswd_timeout=${var_sudo_passwd_timeout}\b.*$" /etc/sudoers; then
+
+ escaped_variable=${var_sudo_passwd_timeout//$'/'/$'\/'}
+ sed -Ei "s/(^[\s]*Defaults.*\bpasswd_timeout=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
+ fi
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
@@ -22184,6 +22184,21 @@ in /etc/sudoers.d/.
Restricting the use cases in which a user is allowed to execute sudo commands
reduces the attack surface.
CCE-83790-6
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - CCE-83790-6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
@@ -22204,21 +22219,6 @@ else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
-
- - name: Ensure requiretty is enabled in /etc/sudoers
- lineinfile:
- path: /etc/sudoers
- regexp: ^[\s]*Defaults.*\brequiretty\b.*$
- line: Defaults requiretty
- validate: /usr/sbin/visudo -cf %s
- tags:
- - CCE-83790-6
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
- - sudo_add_requiretty
@@ -22241,38 +22241,6 @@ in /etc/sudoers.d/.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.
CCE-83860-7
-
-
-var_sudo_umask=''
-
-
-if /usr/sbin/visudo -qcf /etc/sudoers; then
- cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults[\s]*\bumask=\w+\b\b.*$' /etc/sudoers; then
- # sudoers file doesn't define Option umask
- echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers
- else
- # sudoers file defines Option umask, remediate if appropriate value is not set
- if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then
-
- escaped_variable=${var_sudo_umask//$'/'/$'\/'}
- sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
- fi
- fi
-
- # Check validity of sudoers and cleanup bak
- if /usr/sbin/visudo -qcf /etc/sudoers; then
- rm -f /etc/sudoers.bak
- else
- echo "Fail to validate remediated /etc/sudoers, reverting to original file."
- mv /etc/sudoers.bak /etc/sudoers
- false
- fi
-else
- echo "Skipping remediation, /etc/sudoers failed to validate"
- false
-fi
-
- name: XCCDF Value var_sudo_umask # promote to variable
set_fact:
var_sudo_umask: !!str
@@ -22310,6 +22278,38 @@ fi
- no_reboot_needed
- restrict_strategy
- sudo_add_umask
+
+
+
+var_sudo_umask=''
+
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults[\s]*\bumask=\w+\b\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option umask
+ echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers
+ else
+ # sudoers file defines Option umask, remediate if appropriate value is not set
+ if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then
+
+ escaped_variable=${var_sudo_umask//$'/'/$'\/'}
+ sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
+ fi
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
@@ -22334,33 +22334,6 @@ in /etc/sudoers.d/.
access to the user's terminal after the main program has finished executing.
CCE-83798-9
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q sudo; then
-
-if /usr/sbin/visudo -qcf /etc/sudoers; then
- cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then
- # sudoers file doesn't define Option use_pty
- echo "Defaults use_pty" >> /etc/sudoers
- fi
-
- # Check validity of sudoers and cleanup bak
- if /usr/sbin/visudo -qcf /etc/sudoers; then
- rm -f /etc/sudoers.bak
- else
- echo "Fail to validate remediated /etc/sudoers, reverting to original file."
- mv /etc/sudoers.bak /etc/sudoers
- false
- fi
-else
- echo "Skipping remediation, /etc/sudoers failed to validate"
- false
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -22393,42 +22366,14 @@ fi
- restrict_strategy
- sudo_add_use_pty
-
-
-
-
-
-
-
-
- Ensure Sudo Logfile Exists - sudo logfile
- A custom log sudo file can be configured with the 'logfile' tag. This rule configures
-a sudo custom logfile at the default location suggested by CIS, which uses
-/var/log/sudo.log.
- Req-10.2.5
- 2.2.6
- 5.3.3
- A sudo log file simplifies auditing of sudo commands.
-
- CCE-83601-5
- # Remediation is applicable only in certain platforms
+ # Remediation is applicable only in certain platforms
if rpm --quiet -q sudo; then
-var_sudo_logfile=''
-
-
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then
- # sudoers file doesn't define Option logfile
- echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers
- else
- # sudoers file defines Option logfile, remediate if appropriate value is not set
- if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then
-
- escaped_variable=${var_sudo_logfile//$'/'/$'\/'}
- sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
- fi
+ if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option use_pty
+ echo "Defaults use_pty" >> /etc/sudoers
fi
# Check validity of sudoers and cleanup bak
@@ -22448,6 +22393,24 @@ else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+
+
+
+
+
+
+
+ Ensure Sudo Logfile Exists - sudo logfile
+ A custom log sudo file can be configured with the 'logfile' tag. This rule configures
+a sudo custom logfile at the default location suggested by CIS, which uses
+/var/log/sudo.log.
+ Req-10.2.5
+ 2.2.6
+ 5.3.3
+ A sudo log file simplifies auditing of sudo commands.
+
+ CCE-83601-5
- name: Gather the package facts
package_facts:
manager: auto
@@ -22505,6 +22468,43 @@ fi
- no_reboot_needed
- restrict_strategy
- sudo_custom_logfile
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q sudo; then
+
+var_sudo_logfile=''
+
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option logfile
+ echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers
+ else
+ # sudoers file defines Option logfile, remediate if appropriate value is not set
+ if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then
+
+ escaped_variable=${var_sudo_logfile//$'/'/$'\/'}
+ sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
+ fi
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -22594,22 +22594,6 @@ do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
CCE-82202-3
-
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-
- name: Find /etc/sudoers.d/ files
find:
paths:
@@ -22647,6 +22631,22 @@ done
- no_reboot_needed
- restrict_strategy
- sudo_remove_no_authenticate
+
+
+for f in /etc/sudoers /etc/sudoers.d/* ; do
+ if [ ! -e "$f" ] ; then
+ continue
+ fi
+ matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "!authenticate" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
@@ -22720,22 +22720,6 @@ When operating systems provide the capability to escalate a functional capabilit
is critical that the user re-authenticate.
CCE-82197-5
-
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "NOPASSWD" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-
- name: Find /etc/sudoers.d/ files
find:
paths:
@@ -22773,6 +22757,22 @@ done
- no_reboot_needed
- restrict_strategy
- sudo_remove_nopasswd
+
+
+for f in /etc/sudoers /etc/sudoers.d/* ; do
+ if [ ! -e "$f" ] ; then
+ continue
+ fi
+ matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "NOPASSWD" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
@@ -22840,37 +22840,6 @@ do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
CCE-82279-1
-
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "NOPASSWD" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-
-for f in /etc/sudoers /etc/sudoers.d/* ; do
- if [ ! -e "$f" ] ; then
- continue
- fi
- matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
- if ! test -z "$matching_list"; then
- while IFS= read -r entry; do
- # comment out "!authenticate" matches to preserve user data
- sed -i "s/^${entry}$/# &/g" $f
- done <<< "$matching_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
-
- name: Find /etc/sudoers.d/ files
find:
paths:
@@ -22946,6 +22915,37 @@ done
- no_reboot_needed
- restrict_strategy
- sudo_require_authentication
+
+
+for f in /etc/sudoers /etc/sudoers.d/* ; do
+ if [ ! -e "$f" ] ; then
+ continue
+ fi
+ matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "NOPASSWD" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
+
+for f in /etc/sudoers /etc/sudoers.d/* ; do
+ if [ ! -e "$f" ] ; then
+ continue
+ fi
+ matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "!authenticate" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
@@ -22981,46 +22981,6 @@ When operating systems provide the capability to escalate a functional capabilit
is critical that the user re-authenticate.
CCE-87838-9
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q sudo; then
-
-var_sudo_timestamp_timeout=''
-
-
-if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
- find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
-fi
-
-if /usr/sbin/visudo -qcf /etc/sudoers; then
- cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then
- # sudoers file doesn't define Option timestamp_timeout
- echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
- else
- # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
- if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then
-
- sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
- fi
- fi
-
- # Check validity of sudoers and cleanup bak
- if /usr/sbin/visudo -qcf /etc/sudoers; then
- rm -f /etc/sudoers.bak
- else
- echo "Fail to validate remediated /etc/sudoers, reverting to original file."
- mv /etc/sudoers.bak /etc/sudoers
- false
- fi
-else
- echo "Skipping remediation, /etc/sudoers failed to validate"
- false
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -23121,6 +23081,46 @@ fi
- no_reboot_needed
- restrict_strategy
- sudo_require_reauthentication
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q sudo; then
+
+var_sudo_timestamp_timeout=''
+
+
+if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
+ find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
+fi
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*[-]?\w+.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option timestamp_timeout
+ echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
+ else
+ # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
+ if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then
+
+ sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
+ fi
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -23138,13 +23138,6 @@ To properly set the permissions of /usr/bin/sudo, run the
BP28(R57)
Restricting the set of users able to execute commands as privileged user reduces the attack surface.
CCE-83574-4
-
-
-
-
-
-chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo
-
- name: Test for existence /usr/bin/sudo
stat:
path: /usr/bin/sudo
@@ -23171,6 +23164,13 @@ chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo
- medium_severity
- no_reboot_needed
- sudo_restrict_others_executable_permission
+
+
+
+
+
+
+chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo
@@ -23243,27 +23243,6 @@ Note that the '#' character doesn't denote a comment in the configuration file.<
Use of these configuration options makes it easier for one compromised accound to be used to
compromise other accounts.
CCE-86377-9
-
-sudoers_config_file="/etc/sudoers"
-sudoers_config_dir="/etc/sudoers.d"
-sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
-if [ "$sudoers_includedir_count" -gt 1 ]; then
- sed -i "/#includedir/d" "$sudoers_config_file"
- echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
-elif [ "$sudoers_includedir_count" -eq 0 ]; then
- echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
-else
- if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
- sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
- fi
-fi
-
-sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file"
-
-if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then
- sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/*
-fi
-
- name: Check for duplicate values
lineinfile:
path: /etc/sudoers
@@ -23381,6 +23360,27 @@ fi
- medium_severity
- no_reboot_needed
- sudoers_default_includedir
+
+
+sudoers_config_file="/etc/sudoers"
+sudoers_config_dir="/etc/sudoers.d"
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+if [ "$sudoers_includedir_count" -gt 1 ]; then
+ sed -i "/#includedir/d" "$sudoers_config_file"
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+else
+ if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
+ sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+ fi
+fi
+
+sed -Ei "/^#include\s/d; /^@includedir\s/d" "$sudoers_config_file"
+
+if grep -Pr "^[#@]include(dir)?\s" "$sudoers_config_dir" ; then
+ sed -Ei "/^[#@]include(dir)?\s/d" "$sudoers_config_dir"/*
+fi
@@ -23484,75 +23484,6 @@ or if cvtsudoers not supported:
the invoking user for the "root" user password.
CCE-83422-6
- # Remediation is applicable only in certain platforms
-if rpm --quiet -q sudo; then
-
-if grep -x '^Defaults targetpw$' /etc/sudoers; then
- sed -i "/Defaults targetpw/d" /etc/sudoers \;
-fi
-if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then
- find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \;
-fi
-if grep -x '^Defaults rootpw$' /etc/sudoers; then
- sed -i "/Defaults rootpw/d" /etc/sudoers \;
-fi
-if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then
- find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \;
-fi
-if grep -x '^Defaults runaspw$' /etc/sudoers; then
- sed -i "/Defaults runaspw/d" /etc/sudoers \;
-fi
-if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then
- find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \;
-fi
-
-if [ -e "/etc/sudoers" ] ; then
-
- LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers"
-else
- touch "/etc/sudoers"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/sudoers"
-
-cp "/etc/sudoers" "/etc/sudoers.bak"
-# Insert at the end of the file
-printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers"
-# Clean up after ourselves.
-rm "/etc/sudoers.bak"
-if [ -e "/etc/sudoers" ] ; then
-
- LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers"
-else
- touch "/etc/sudoers"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/sudoers"
-
-cp "/etc/sudoers" "/etc/sudoers.bak"
-# Insert at the end of the file
-printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers"
-# Clean up after ourselves.
-rm "/etc/sudoers.bak"
-if [ -e "/etc/sudoers" ] ; then
-
- LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers"
-else
- touch "/etc/sudoers"
-fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/sudoers"
-
-cp "/etc/sudoers" "/etc/sudoers.bak"
-# Insert at the end of the file
-printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers"
-# Clean up after ourselves.
-rm "/etc/sudoers.bak"
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-
- name: Gather the package facts
package_facts:
manager: auto
@@ -23930,6 +23861,75 @@ fi
- no_reboot_needed
- restrict_strategy
- sudoers_validate_passwd
+
+ # Remediation is applicable only in certain platforms
+if rpm --quiet -q sudo; then
+
+if grep -x '^Defaults targetpw$' /etc/sudoers; then
+ sed -i "/Defaults targetpw/d" /etc/sudoers \;
+fi
+if grep -x '^Defaults targetpw$' /etc/sudoers.d/*; then
+ find /etc/sudoers.d/ -type f -exec sed -i "/Defaults targetpw/d" {} \;
+fi
+if grep -x '^Defaults rootpw$' /etc/sudoers; then
+ sed -i "/Defaults rootpw/d" /etc/sudoers \;
+fi
+if grep -x '^Defaults rootpw$' /etc/sudoers.d/*; then
+ find /etc/sudoers.d/ -type f -exec sed -i "/Defaults rootpw/d" {} \;
+fi
+if grep -x '^Defaults runaspw$' /etc/sudoers; then
+ sed -i "/Defaults runaspw/d" /etc/sudoers \;
+fi
+if grep -x '^Defaults runaspw$' /etc/sudoers.d/*; then
+ find /etc/sudoers.d/ -type f -exec sed -i "/Defaults runaspw/d" {} \;
+fi
+
+if [ -e "/etc/sudoers" ] ; then
+
+ LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers"
+else
+ touch "/etc/sudoers"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/sudoers"
+
+cp "/etc/sudoers" "/etc/sudoers.bak"
+# Insert at the end of the file
+printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers"
+# Clean up after ourselves.
+rm "/etc/sudoers.bak"
+if [ -e "/etc/sudoers" ] ; then
+
+ LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers"
+else
+ touch "/etc/sudoers"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/sudoers"
+
+cp "/etc/sudoers" "/etc/sudoers.bak"
+# Insert at the end of the file
+printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers"
+# Clean up after ourselves.
+rm "/etc/sudoers.bak"
+if [ -e "/etc/sudoers" ] ; then
+
+ LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers"
+else
+ touch "/etc/sudoers"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/sudoers"
+
+cp "/etc/sudoers" "/etc/sudoers.bak"
+# Insert at the end of the file
+printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers"
+# Clean up after ourselves.
+rm "/etc/sudoers.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -23952,15 +23952,13 @@ $ sudo yum install binutils
foundational system operator activities, such as ld,
nm, objcopy and readelf.
CCE-82989-5
+
+package --add=binutils
+
[[packages]]
name = "binutils"
version = "*"
-
-
-if ! rpm -q --quiet "binutils" ; then
- yum install -y "binutils"
-fi
include install_binutils
@@ -23983,8 +23981,10 @@ class install_binutils {
- no_reboot_needed
- package_binutils_installed
-
-package --add=binutils
+
+if ! rpm -q --quiet "binutils" ; then
+ yum install -y "binutils"
+fi
@@ -24013,15 +24013,13 @@ $ sudo yum install dnf-plugin-subscription-manager
CCE-82315-3
+
+package --add=dnf-plugin-subscription-manager
+
[[packages]]
name = "dnf-plugin-subscription-manager"
version = "*"
-
-
-if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then
- yum install -y "dnf-plugin-subscription-manager"
-fi
include install_dnf-plugin-subscription-manager
@@ -24044,8 +24042,10 @@ class install_dnf-plugin-subscription-manager {
- no_reboot_needed
- package_dnf-plugin-subscription-manager_installed
-
-package --add=dnf-plugin-subscription-manager
+
+if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then
+ yum install -y "dnf-plugin-subscription-manager"
+fi
@@ -24070,15 +24070,13 @@ other required structures.
This package contains command line TLS client and server and certificate
manipulation tools.
CCE-82395-5
+
+package --add=gnutls-utils
+
[[packages]]
name = "gnutls-utils"
version = "*"
-
-
-if ! rpm -q --quiet "gnutls-utils" ; then
- yum install -y "gnutls-utils"
-fi
include install_gnutls-utils
@@ -24101,8 +24099,10 @@ class install_gnutls-utils {
- no_reboot_needed
- package_gnutls-utils_installed
-
-package --add=gnutls-utils
+
+if ! rpm -q --quiet "gnutls-utils" ; then
+ yum install -y "gnutls-utils"
+fi
@@ -24122,15 +24122,13 @@ posix capabilities of all the programs running on a system.
libcap-ng-utils also lets system operators set the file
system based capabilities.
CCE-82979-6
+
+package --add=libcap-ng-utils
+
[[packages]]
name = "libcap-ng-utils"
version = "*"
-
-
-if ! rpm -q --quiet "libcap-ng-utils" ; then
- yum install -y "libcap-ng-utils"
-fi
include install_libcap-ng-utils
@@ -24153,8 +24151,10 @@ class install_libcap-ng-utils {
- no_reboot_needed
- package_libcap-ng-utils_installed
-
-package --add=libcap-ng-utils
+
+if ! rpm -q --quiet "libcap-ng-utils" ; then
+ yum install -y "libcap-ng-utils"
+fi
@@ -24176,15 +24176,13 @@ server applications. Install the nss-tools package
to install command-line tools to manipulate the NSS certificate
and key database.
CCE-82396-3
+
+package --add=nss-tools
+
[[packages]]
name = "nss-tools"
version = "*"
-
-
-if ! rpm -q --quiet "nss-tools" ; then
- yum install -y "nss-tools"
-fi
include install_nss-tools
@@ -24207,8 +24205,10 @@ class install_nss-tools {
- no_reboot_needed
- package_nss-tools_installed
-
-package --add=nss-tools
+
+if ! rpm -q --quiet "nss-tools" ; then
+ yum install -y "nss-tools"
+fi
@@ -24230,15 +24230,13 @@ $ sudo yum install openscap-scanner
configuration and vulnerability scanner, capable of performing compliance checking using
SCAP content.
CCE-82220-5
+
+package --add=openscap-scanner
+
[[packages]]
name = "openscap-scanner"
version = "*"
-
-
-if ! rpm -q --quiet "openscap-scanner" ; then
- yum install -y "openscap-scanner"
-fi
include install_openscap-scanner
@@ -24261,8 +24259,10 @@ class install_openscap-scanner {
- no_reboot_needed
- package_openscap-scanner_installed
-
-package --add=openscap-scanner
+
+if ! rpm -q --quiet "openscap-scanner" ; then
+ yum install -y "openscap-scanner"
+fi
@@ -24280,21 +24280,13 @@ $ sudo yum install rear
image of a system and restores from backup using this image.
CCE-82883-0
+
+package --add=rear
+
[[packages]]
name = "rear"
version = "*"
-
- # Remediation is applicable only in certain platforms
-if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.4"; printf "%s\n%s" "$real" "$expected" | sort -VC; } && grep -q s390x /proc/sys/kernel/osrelease ) ) ); then
-
-if ! rpm -q --quiet "rear" ; then
- yum install -y "rear"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
include install_rear
@@ -24322,8 +24314,16 @@ class install_rear {
- no_reboot_needed
- package_rear_installed
-
-package --add=rear
+ # Remediation is applicable only in certain platforms
+if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.4"; printf "%s\n%s" "$real" "$expected" | sort -VC; } && grep -q s390x /proc/sys/kernel/osrelease ) ) ); then
+
+if ! rpm -q --quiet "rear" ; then
+ yum install -y "rear"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -24345,21 +24345,13 @@ $ sudo yum install rng-tools
such as those used in the formation of x509/PKI certificates.
CCE-82968-9
+
+package --add=rng-tools
+
[[packages]]
name = "rng-tools"
version = "*"
-
- # Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-if ! rpm -q --quiet "rng-tools" ; then
- yum install -y "rng-tools"
-fi
-
-else
- >&2 echo 'Remediation is not applicable, nothing was done'
-fi
include install_rng-tools
@@ -24384,8 +24376,16 @@ class install_rng-tools {
- no_reboot_needed
- package_rng-tools_installed
-
-package --add=rng-tools
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if ! rpm -q --quiet "rng-tools" ; then
+ yum install -y "rng-tools"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
@@ -24412,15 +24412,13 @@ package, or the SCAP Workbench GUI tool from the scap-workbench